Developers: OAuth Apps
Audience: Developer (ISV / third-party app builder)
Use OAuth Apps when one external app must connect to many merchants through consent/install flow.
Managed In Dashboard
Settings -> Developers -> OAuth Apps
App Credentials
client_idformat:eshopos_ca_...client_secretformat:eshopos_test_cs_...oreshopos_live_cs_...client_secretis shown one time on create/rotate.
Merchant Management Endpoints
GET /api/v1/merchant/developer/appsPOST /api/v1/merchant/developer/appsGET /api/v1/merchant/developer/apps/{appID}PATCH /api/v1/merchant/developer/apps/{appID}POST /api/v1/merchant/developer/apps/{appID}/rotate-secretDELETE /api/v1/merchant/developer/apps/{appID}
OAuth Protocol Endpoints
GET /api/public/v1/oauth/authorizePOST /api/public/v1/oauth/authorize/consentPOST /api/public/v1/oauth/tokenPOST /api/public/v1/oauth/revoke
Supported grants:
authorization_coderefresh_token
Scope Rules
Allowed app scopes:
public:readpublic:writepublic:*
End-to-End Flow
- Merchant creates app, sets redirect URIs and allowed scopes.
- App sends merchant to
/oauth/authorize?.... - Merchant approves consent.
- App exchanges code at
/oauth/token. - App calls
/api/public/v1/*withAuthorization: Bearer eshopos_oat_....
Token Exchange Example
BASE_URL="http://localhost:8080"
curl -sS -X POST "$BASE_URL/api/public/v1/oauth/token" \
-H "Content-Type: application/json" \
-d '{
"grant_type": "authorization_code",
"client_id": "eshopos_ca_replace_me",
"client_secret": "eshopos_test_cs_replace_me",
"code": "eshopos_oac_replace_me",
"redirect_uri": "https://app.example.com/callback",
"code_verifier": "pkce_verifier"
}'