Retail API, OAuth 2, and Grant Types

llamatechllamatech Member Posts: 3

After spending a considerable amount of time researching this via LS Community, it appears that Lightspeed has not fully implemented OAuth2 for their Retail API, but instead has only implemented certain flows.

Without blathering on, the Client Credentials OAuth2 grant type was included to support unattended (or m2m) authentication. It's essentially the replacement for Basic Auth (which by the way is still supported by most organizations for API access, including Microsoft and Lightspeed eCom). I've read a number of discussion threads here where integration developers are told they have to use the authorization_code OAuth2 flow, even when user interaction isn't relevant or possible. To be clear, unattended integrations should not be using user-centric flows ... the authorization_code grant type is intended for use in interactive connections (user via web browser or app).

Forcing unattended integrations to kludge the authorization_code flow seems strange (to me).

Wow, I ended up blathering on ... sorry!

The Lightspeed Retail API documentation here:

includes a link to here:

The third grant type in the list is Client Credentials. In case it matters, that grant type is also present in the OAuth2.1 draft, so it's not going anywhere.

My question(s) are: Does the Lightspeed Retail API allow OAuth2 grant type Client Credentials? If so, can the documentation be updated to reflect that? If not, why not?

Sign In or Register to comment.