App Authentication

For any requests to your application, you need to ensure the request is coming from an authenticated user in Commerce7.

All requests to your application from iFrames or context menus in Commerce7 will pass a JWT Token as an account variable in the url.

You can take that account token and send it back to us by making a GET request to and in the header pass the tenant (just like a normal call) and then pass an authorization header 'authorization' with the account token.

This will respond with who that account is including their accountId, firstname, lastname, and email.

If this user doesn't have an account or doesn't have access to that tenant it will respond with a 401 response, and your application should then respond with a 401 and a friendly message with a link to your application support docs.

Example Request

This is a request from Commerce7 to your application:


Retreive Account Detail

GET: /account/user
--header 'Authorization: ayJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyBzdWIiOiJkMWU5YjY3Ni0yNzA2LTRlMzYtYmNmNS01N2E5MjQ4ZWRjZGYiLCJmaXJzdE5hbWUiOiJKYXNvbiIsImxhc3QOYW1lIjoiQW5kcmVzIiwiaWF0IjoxNTg4NzkxMzk4MDQ2LCJlbWFpbMI6Imphc29uQGNvbW1lcmNlNy4jb20ifQ.dpEYVql3bWp4uIrwfsFIeNx6Wlrtmr3Y3Hn32HCoD1c' \
--header 'tenant: some-tenant'

RESPONSE: responds with account details object for authorized access or 401 response for unauthorized access

Sample Response Authorized Access

"id": "12211212-2706-4e36-bcf5-57a9248edcdf",
"firstName": "Jason",
"lastName": "Andres",
"email": "[email protected]"

Sample Response Unauthorized Access

"statusCode": 401,
"type": "unauthorized",
"message": "Unauthorized user",
"errors": []