All OAuth 2.0 clients and access tokens have a scope. The scope constrains the endpoints and resources to which a client has access. Scope constraints include whether a client has read or write access to an endpoint. Scopes are immutable and defined for a single Project either inside the Merchant Center or with the API Clients endpoint.
In the API documentation, each resource specifies the required scope(s) to perform an action.
manage_products scope is required to create a review.manage_products scope to a token that is exposed to the frontend app would allow the application to create reviews. However, a malicious actor could also use this token to change the product price, create their own products, or make other changes supported by the manage_products scope.Scope query parameter
scope query parameter with one or more scopes defined.scope query parameter in your request, the token is granted the same scopes as the API Client. In some cases, this could mean excessive permissions are granted.$curl https://{auth_host}/oauth/{projectKey}/customers/token -X POST \
--basic --user "{clientId}:{clientSecret}" \
-d "grant_type=password&username={email}&password={password}&scope=view_published_products:{projectKey} manage_my_orders:{projectKey} manage_my_profile:{projectKey}"
scope parameter limits the token scope to view_published_products, manage_my_orders, and manage_my_profile. The full password flow example request is in the HTTP API authorization reference.For optimal security and control in commercetools, explicitly define required API scopes during the authentication process. Never rely solely on pre-configured scope limits within your API Client. Defining scopes during authentication ensures the token receives the correct permissions, regardless of API Client settings. Although scope validation after authentication is possible, proactively defining scopes during authentication enhances security. Your application should always verify the presence of necessary scopes and handle any discrepancies as errors. Proactive scope definition offers consistent protection. Even if you later replace an API Client with broader access, the token's scopes remain restricted to those initially defined.
scope query parameter, scope definitions can be tracked in your version control system. Your version control system might also allow you to configure alerts for changes to files that contain scope definitions. Version-controlled scope definitions give you real-time visibility when a potentially sensitive change occurs.scope query parameter that is not available on the API Client, the authentication server returns a 400 invalid_scope error. You can log the error and have your logging system send an alert. Capturing scope errors is more straightforward than manually checking the scopes returned from a successful token grant.User types and scenarios
scope query parameter. For the complete list of available scopes and their descriptions, see Scopes.If you use the client credentials flow for your frontend integration, consider how it maps to your session management solution. The client credentials flow also requires implementing user-specific access control to restrict access to resources like Carts, Orders, and Shopping Lists.
The following user types contain scope suggestions. Each Composable Commerce implementation is unique and may need slightly different scopes. When creating tokens on behalf of users, always grant the least amount of scopes necessary.
Stateless crawler or guest user
This user type could be a search engine bot or a non-authenticated user that is only browsing the website. In this case, you can create an anonymous token that has read-only scopes.
Suggested scopes for this scenario:
view_categoriesview_published_productsorview_productsview_standalone_prices(if your project is using Standalone Prices)create_anonymous_token
In this scenario, you should create a read-only token that can be shared between users (including stateless web crawlers), to limit the amount of active tokens. By creating a read-only token, you ensure that the user can't create resources. Additionally, sharing the token will not leak user-specific resources such as Carts, Shopping Lists, or Orders.
In scenarios where visitors create resources, you must use separate tokens for each user. To convert the user to a different user type, use a new flow to grant the appropriate token to the user.
Stateful crawler or guest user creating resources
This type of user has transitioned from browsing to actively performing user-specific actions, such as adding items to a Cart or creating an Order.
Keep in mind that even stateful crawlers will attempt some of these behaviors. For example, a stateful crawler may check the price of a product on a product detail page, then add the product to a Cart. This allows the bot to check for price discrepancies that may exist in line items, taxes, and shipping costs.
In this case, you can still use an anonymous token flow, but with a token that is unique to the user and with more scopes.
Suggested scopes for this scenario:
view_categoriesview_published_productsorview_productsview_shipping_methodsview_standalone_pricesmanage_my_ordersmanage_my_paymentsmanage_my_shopping_listscreate_anonymous_token
Logged-in users
This type of user has de-anonymized their session by logging in to an existing account, or by creating a new account.
create_anonymous_token.Suggested scopes for this scenario:
view_categoriesview_published_productsorview_productsview_shipping_methodsview_standalone_pricesmanage_my_business_unitsmanage_my_ordersmanage_my_paymentsmanage_my_profilemanage_my_quote_requestsmanage_my_quotesmanage_my_shopping_lists
We can now add all of these scopes together into a single de-duplicated list and create the API Client.