API referenceUser DocumentationDemoGitHub
Search…
Developer's Documentation
🚀Getting Started
Installation
Headless Commerce
💻API
Storefront API
Platform API
🎨Storefronts
Next.js Commerce
Vue Storefront
⚙️Internals
Stores
Products
Orders
Payments
Shipments
Promotions
Inventory
Taxation
Addresses
Adjustments
Calculators
Preferences
🛠Customization
Dependencies
Business Logic
Storefront API
Checkout
Authentication
Permissions
Images
Internationalization
Storefront
Emails
🌏Deployment
Vendo
AWS
Heroku
Performance
🔑Security
General guidelines
API
PCI Compliance
Authentication & authorization
⏩Upgrades
How to perform upgrades
Upgrade guides
🎁Extensions
Extensions
Creating an extension
Advanced
Adding Spree to an existing Rails application
Deface
❤️Contributing
General guidelines
Developing Spree
Upgrading extensions
✨Releases Notes
Releases
Changelog
🤝Support
Core Team support
Slack Community
Powered By GitBook
API
This section is only applicatable to API v1
The REST API behaves slightly differently than a standard user. First, an admin has to create the access key before any user can query the REST API. This includes generating the key for the admin him/herself. This is not the case if Spree::Api::Config[:requires_authentication] is set to false.
In cases where Spree::Api::Config[:requires_authentication] is set to false, read-only requests in the API will be possible for all users. For actions that modify data within Spree, a user will need to have an API key and then their user record would need to have permission to perform those actions.
It is up to you to communicate that key. As an added measure, this authentication has to occur on every request made through the REST API as no session or cookies are created or stored for the REST API.
🔑Security - Previous
General guidelines
Next - 🔑Security
PCI Compliance
Last modified 1yr ago
Copy link
Edit on GitHub