1. Customization & development

Introduction to API clients

API clients in OrderCloud define access points to marketplace data. Each client configuration controls:

  • User authentication methods
  • Access permissions
  • Token validity periods

Client creation process

API clients are managed through the RESTful API. Each new marketplace includes:

  • Default API client
  • Full Access Seller user This initial configuration enables creation of additional API clients and resources.

Client naming conventions

Descriptive API client names improve system maintainability by clearly indicating:

  • Intended usage
  • Access patterns
  • Integration purposes

Access control configuration

Global access properties

Control marketplace access using these properties:

  • AllowSeller: Enables all Seller User access
  • AllowAnySupplier: Permits all Supplier User access
  • AllowAnyBuyer: Enables all Buyer User access

Granular access control

Implement specific access rules through API client assignments:

  • Create Buyer/Supplier-specific permissions
  • Override global access settings
  • Note: AllowAnyBuyer and AllowAnySeller override direct assignments

Client secret implementation

Client secret configuration affects OAuth server interactions:

  • Required for all OAuth grant types
  • Enables Client Credentials grant type
  • Recommended for automated system access

User context requirements

Client secrets require additional configuration:

  • Authentication requires user context
  • DefaultContextUserName defines system identity
  • User permissions determine data access scope

For OAuth workflow details, see authentication documentation.

Anonymous shopping configuration

Implementation considerations

Anonymous shopping differs from Client Credentials authentication:

  • Uses temporary user context
  • Requires IsAnonBuyer property
  • Restricts Me Perspective features
  • Links tokens to specific orders

Security recommendations

For client-side applications:

  • Avoid client secret requirements
  • Implement appropriate access controls
  • Follow security best practices

For detailed implementation guidance, see anonymous shopping documentation.

Token duration management

Access token configuration

Control authentication duration through:

  • AccessTokenDuration: Primary token lifetime (minutes)
  • RefreshTokenDuration: Extended authentication period

Token lifecycle

Token refresh process:

  1. Initial access token expires
  2. Refresh token enables new access token
  3. Process continues until refresh token expires

Security considerations

Implement appropriate token durations:

  • Shorter durations for high-access systems
  • Balance security with user experience
  • Consider system access levels

Multi-client architecture

Benefits of multiple clients

Separate API clients provide:

  • Improved system isolation
  • Enhanced monitoring capabilities
  • Granular security control
  • Simplified troubleshooting

Security advantages

Multiple client architecture enables:

  • Isolated system access
  • Independent client management
  • Targeted security responses
  • Minimal disruption during incidents
If you have suggestions for improving this article, let us know!