Provision an access token with Bolt OAuth so your store backend can send the account data to your frontend and render a one-click checkout experience.
Overview
To access Bolt Account APIs, such as Get Account Details, Add Address, Delete Address, and any others that require an OAuth authorization type, you need to use OAuth tokens.
You must exchange the authorization code received from the login modal to retrieve these OAuth Tokens. Your store frontend will send the authorization code to your store backend and exchange it for the tokens using the OAuth Token endpoint (/oauth/token
).
Token Scope
Bolt issues tokens with limited scopes. A fully scoped access token is issued when the shopper logs into the login modal and you complete a new exchange of the authorization code for OAuth tokens.
For more information see our more in-depth documentation on OAuth Scopes.
Exchange Authorization Code for Tokens
Your initial call to the OAuth Token endpoint (/oauth/token
) uses the authorization code granted by the user in the login modal to fetch the OAuth tokens.
Payload
In the initial request, grant_type
is authorization_code
.
client_id=PUBLISHABLE_KEY_PLACEHOLDER&client_secret=API_KEY_PLACEHOLDER&code=AUTH_CODE_PLACEHOLDER&grant_type=authorization_code&scope=bolt.account.manage%2Bopenid
Response
{
"access_token": "$ACCESS_TOKEN",
"expires_in": 3600,
"id_token": "$ID_TOKEN",
"refresh_token": "$REFRESH_TOKEN",
"refresh_token_scope": "bolt.account.view",
"scope": "bolt.account.manage",
"token_type": "bearer"
}
TIP
Store the refresh_token
for use in subsequent calls to fetch new access tokens. This enables you to skip the authorization process on subsequent calls and immediately access the Bolt Account APIs.
Utilize a Refresh Token for Expired Access Tokens
In subsequent requests to the OAuth Token endpoint (/oauth/token
), use the refresh token to fetch a new access token.
INFO
Refresh tokens are used to maintain read access after the original access token has expired. The refresh token can be exchanged for a limited scope access token.
Payload
When exchanging the refresh code for a new access token, the grant_type
is refresh_token
.
client_id=PUBLISHABLE_KEY_PLACEHOLDER&client_secret=API_KEY_PLACEHOLDER&grant_type=refresh_token&refresh_token=REFRESH_TOKEN_PLACEHOLDER&scope=bolt.account.view
Response
{
"access_token": "$NEW_ACCESS_TOKEN",
"expires_in": 3600,
"refresh_token": "$NEW_REFRESH_TOKEN",
"refresh_token_scope": "bolt.account.view",
"scope": "bolt.account.view",
"token_type": "bearer"
}
Next Step
After you fetch OAuth Tokens, you will implement the [Signed In Button]({{ ref “signed-in-button.md” }}) front-end component to display a shopper’s login status and, if they’re signed in, a Logout button.