Authentication
Authentication is required for all requests made to the API. This is done using HTTP Basic Authentication.
Each user can have one or more API clients, each represented by an API Key and an API Secret.
In the context of HTTP Basic Authentication:
- The API Key represents the Username
- The API Secret represents the Password
Obtaining your API keys
Obtaining your API keys
API credentials are available through your ShopWired account by navigating to Account > API keys.
Security warning
- Keep your API credentials safe and secure
- Only provide them to trusted third parties
- If you suspect your credentials have been compromised, generate new API credentials immediately by selecting the
generate new API credentialsoption
OAuth apps
OAuth apps
The external ShopWired app platform allows apps to:
- Ask for API access
- Be embedded inside ShopWired
Main properties of an external app:
- Name – This will appear in various places throughout the ShopWired account
- Main URL – The URL ShopWired will use to communicate with the app
- Additional URLs – These can be used as OAuth redirect URIs
After the app is created, the following credentials will be provided:
- Client ID – Used for initiating the OAuth flow and accessing the app inside ShopWired
- Client Secret – Used in the OAuth flow; must be kept secret
- Signature Secret – Used for signing requests; must be kept secret
OAuth flow
OAuth flow
OAuth is used to request API access
https://admin.myshopwired.uk/oauth/authorize?client_id=A&redirect_uri=B&scope=C&state=D- client_id is provided by ShopWired
- redirect_uri is where the user is taken if they approve (must match the URL set when creating the app)
- scope is a comma-separated list of required API permissions
- state is a random string to prevent CSRF attacks
Generating an access token
Generating an access token
When the user authorises the request, they are redirected to redirect_uri with:
- code – Used to generate an access token
- state – Should match your original request
- signature – Should be verified for authenticity
Use the /oauth/access-token endpoint to generate tokens. The required POST parameters are:
- code
- client_id
- client_secret
- redirect_uri
To refresh tokens:
- refresh_token
- client_id
- client_secret
Sending API requests
Sending API requests
When sending API requests, include the access token in the Authorization header:
Authorization: Bearer ACCESS_TOKENAvailable API permissions
Available API permissions
When an app requests OAuth access to the ShopWired API, it must specify which permissions (or scopes) it needs. Each permission corresponds to a particular set of actions or data within the API. During the installation or update of the app, ShopWired will prompt the user to approve or deny these permissions.
Below is a list of available API permissions. Each scope can be included in the scope query parameter of the authorisation URL, separated by commas. If an app tries to access a resource or perform an action requiring a permission that was not granted, the request will be denied.
| Endpoint | Permission required |
|---|---|
| /app | N/A |
| /blog-categories | read_blog_posts, write_blog_posts |
| /blog-posts | read_blog_posts, write_blog_posts |
| /blog-tags | read_blog_posts, write_blog_posts |
| /brands | read_products, write_products |
| /business | read_business |
| /categories | read_products, write_products |
| /choice-set-values | read_products, write_products |
| /choice-sets | read_products, write_products |
| /collect-locations | read_collect_locations, write_collect_locations |
| /countries | read_shipping, write_shipping |
| /custom-fields | read_item_fields, write_item_fields |
| /customers | read_customers, write_customers |
| /digital-files | read_assets, write_assets |
| /events | read_events |
| /filter-groups | read_products, write_products |
| /gift-vouchers | read_marketing, write_marketing |
| /incomplete-orders | read_orders, write_orders |
| /newsletter-subscribers | read_newsletter_subscribers, write_newsletter_subscribers |
| /nexuses | read_nexuses, write_nexuses |
| /offers | read_offers, write_offers |
| /order-statuses | read_orders, write_orders |
| /orders | read_orders, write_orders |
| /pages | read_pages, write_pages |
| /payment-methods | read_orders |
| /products | read_products, write_products |
| /sales | read_sales, write_sales |
| /shipping-rates | read_shipping, write_shipping |
| /shipping-zones | read_shipping, write_shipping |
| /shopwired-payments/disputes | read_shopwired_payments_disputes, write_shopwired_payments_disputes |
| /shopwired-payments/payouts | read_shopwired_payments_payouts, write_shopwired_payments_payouts |
| /stock | read_stock, write_stock |
| /theme-assets | read_themes, write_themes |
| /themes | read_themes, write_themes |
| /trade-groups | read_b2b, write_b2b |
| /vouchers | read_marketing, write_marketing |
| /webhooks | read_webhooks, write_webhooks |
| /wishlists | read_wishlists, write_wishlists |
OAuth platform requests
OAuth platform requests
Each request contains:
- signature
- business_id
- timestamp (Unix time)
install is sent when the app is first installed, uninstall is sent after the app is removed.
OAuth signature verification
OAuth signature verification
To verify signatures:
- Remove signature from the query parameters
- Sort the remaining parameters by key
- Generate a query string (
key=value&key=value...) - Create a HMAC-SHA256 digest with the signature secret
- Compare the digest with signature
Reject invalid or stale requests (e.g., older than 30 seconds)
OAuth JavaScript library
OAuth JavaScript library
A JavaScript library is available at https://platform.ecommercedns.uk/embedded-app/js/app.js.
Provided methods
| Method | Description |
|---|---|
| initialize(options) | Initializes the library. Options include clientId, autoRedirect, debug, adminOrigin |
| ready(callback) | Calls the function once initialization is complete |
| redirect(path) | Redirects to the specified path |
| startLoading() | Displays the loading overlay |
| stopLoading() | Hides the loading overlay |
| setTitle(title) | Sets a custom title (visible in the management system header) |
| setIcon(iconUrl) | Sets a custom icon (visible in the management system header) |
| getAdminOrigin() | Retrieves the custom admin origin |
| setAdminOrigin(adminOrigin) | Sets the custom admin origin |
initialize should be called as soon as possible. All other methods should be used within the ready callback.
