This API plugin have two layers of authentication.


  • The first layer is the JWT access token which is created based on the Secret Key which is configured in the plugin configuration page.
  • The second layer is the application API key which is used to authorize all requests against a store after matching with the request URL. The application API key must be stored on the client end because it needs to be sent in header of each request.


A developer using the public API needs to follow below steps in an order to properly implement the API.


Step 1: Create an application


To create an application, go to the applications page and add a new application if you already haven't created one. Once you have created an application, you will see the application API key for newly created application in the grid on the applications page.


Please save this key with you because you will need it while making further requests.


You need a JWT access token to create request on all available public API methods except below mentioned methods:

  • /api/PublicGeneral/Ping
  • /api/PublicGeneral/GetLocaleStringResources
  • /api/PublicGeneral/GetSettings
  • /api/PublicCustomer/GetGuestToken


Note: For above mentioned methods you just need the application API key.


Step 2: Create a guest customer


To create a JWT access token, the first step is to create a request on /api/PublicCustomer/GetGuestToken method with the application API key in X-API-KEY header. On success, you will get an AccessToken in the response.


You need to save this access token to further authorize a customer login and you can also continue to use guest customer access token to create requests on the other public methods unless disabled by the Administrator from your nopCommerce ACL.


In response to this method, you also get the RefreshToken and RefreshTokenExpiration which must be saved somewhere in order to request a new access token when the access token is expired.


Sample request:


var client = new RestClient("https://yourstore.com/api/PublicCustomer/GetGuestToken");
client.Timeout = -1;
var request = new RestRequest(Method.GET);
request.AddHeader("X-API-KEY", "<API Key>");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);


Sample response:


{
 "CustomerId": -52828876,
 "AccessToken": "occaecat est qui",
 "RefreshToken": "Ut",
 "RefreshTokenExpiration": "1957-07-09T07:32:43.022Z"
}


Step 3: Login / Authentication


To login / authenticate a nopCommerce customer, you need to create a request on /api/PublicCustomer/Login method with the application API key in "X-API-KEY" header, guest access token in "Authorization", "Bearer <Access Token>" header. Along with request headers, you need to send the "Password" and the "UsernameOrEmail" as JSON string in the request body.


On success, you will get the "CustomerId", a new "AccessToken", a new "RefreshToken" and a new "RefreshTokenExpiration" in the response which you need to save on your end to authenticate further requests on the server.


Sample request:


var client = new RestClient("https://yourstore.com/api/PublicCustomer/Login");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AddHeader("X-API-KEY", "<API Key>");
request.AddHeader("Authorization", "Bearer <Access Token>");
var body = @"{" + "\n" +
@"    ""Password"": ""mollit proident in veniam minim""," + "\n" +
@"    ""UsernameOrEmail"": ""velit nulla cupidatat elit""" + "\n" +
@"}";
request.AddParameter("text/plain", body,  ParameterType.RequestBody);
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);


Sample response:


{
 "IsImpersonationAllowed": true,
 "CustomerId": -65178875,
 "AccessToken": "laborum",
 "RefreshToken": "ut",
 "RefreshTokenExpiration": "2018-11-13T03:06:10.020Z"
}