Authentication


The Pilon API includes advanced authentication for customers, merchant users and API clients. All requests require authentication.

Our API's support 4 different types of authentication:

WhoContextAuthorization Header
CustomerClient-side JavaScriptAuthorization: Bearer ACCESS_TOKEN_HERE
Anonymous CustomerClient-side JavaScriptAuthorization: CUSTOMER-SESSION-ID SESSION_ID_HERE
Merchant UserServer-side or Client-sideAuthorization: Bearer ACCESS_TOKEN_HERE
API ClientServer-sideAuthorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

As a Customer

Many of our API endpoints support CORS and allow access from with a customer access token.

  1. First, you must use the Pilon JavaScript SDK to authenticate with the customer's email and password. This starts a session and lets you retrieve an access token.

    import { Auth } from '@pilon-io/js-sdk';
    
    Auth.login(pilonEnvironmentId, email, password)
        .then((customerDetails) => {
            const accessToken = customerDetails.access_token;
        })
        .catch(error => {
            console.log(error);
        });
  2. You may now make API calls to Pilon on behalf of the customer:

    curl -X GET https://api.pilon.io/products \
        -H "Accept: application/json" \
        -H "Authorization: Bearer ACCESS_TOKEN_GOES_HERE"

As an Anonymous Customer

  1. Start a new anonymous customer session:

    curl -X POST https://api.pilon.io/customer-sessions \
        -H "Accept: application/json" \
        -H "Content-Type: application/json" \
        -d $'{
    	  "environment": "/environments/39fd8906-56ed-11e9-8647-d663bd873d93"
    	}'

    Response:

    {
        "id": "7a9631d0-52f5-11e9-8647-d663bd873d93",
        "environment": "/environments/e0dbf22c-52f5-11e9-8647-d663bd873d93",
        "created": "2010-01-30T14:13:43.802Z"
    }
  2. Then use customer session id for authentication on API calls:

    curl -X GET https://api.pilon.io/products \
        -H "Accept: application/json" \
        -H "Authorization: CUSTOMER-SESSION-ID 7a9631d0-52f5-11e9-8647-d663bd873d93"

As an API Client

Include your client_id and client_secret credentials in the request using Basic authentication.

Authorization: Basic YWxhZGRpbjpvcGVuc2VzYW1l

API Client auth should only be used by secure server-side applications. You should never publically disclose your client_secret.

Via curl

Replace YOUR_CLIENT_ID and YOUR_CLIENT_SECRET with your credentials:

curl -X GET https://api.pilon.io/products \
    -H "Accept: application/json" \
    --user YOUR_CLIENT_ID:YOUR_CLIENT_SECRET

As a Merchant User

You may authenticate as a merchant user and access our APIs from front-end and server-side code.

  1. First, you must use the Pilon JavaScript SDK to authenticate with the user's email and password. This starts a session and lets you retrieve an access token.

    import { UserAuth } from '@pilon-io/js-sdk';
    
    UserAuth.login(email, password)
        .then((customerDetails) => {
            const accessToken = userDetails.access_token;
        })
        .catch(error => {
            console.log(error);
        });
  2. You may now make API calls to Pilon on behalf of the customer:

    curl -X GET https://api.pilon.io/products \
        -H "Accept: application/json" \
        -H "Authorization: Bearer ACCESS_TOKEN_GOES_HERE"