The Arcadier API uses OAuth 2.0 to authenticate requests. All API calls must include a valid Bearer token in the Authorization header. Tokens are obtained by exchanging your Client ID and Client Secret for an access token. Tokens are time-limited where they remain valid for a certain period. A refresh will be required after token expiration.
Obtaining an Access Token
To generate the admin token, see Authentication section in API reference.
Note: Save admin token in your API client or Postman environment variable to make it easier to update when token expires.
Role-Scoped Tokens
Role
Access Scope
Admin
Full access to all marketplace configuration and operational data. Uses primary Client ID / Secret credentials.
Merchant (Seller)
Scoped to the seller's own listings, orders, and account data.
Buyer (Consumer)
Scoped to browsing, purchasing, and personal account management.
Important: Authenticate using the role context that matches the action being performed. Merchant tokens cannot call admin-only endpoints. Buyer tokens cannot access merchant resources.
Token Security Guidelines
Never expose your Client Secret in frontend or client-side code.
Store credentials in environment variables or a secrets manager.
Do not log access tokens or include them in error reporting.
Always use separate credentials for Stage and Production.
Rotate credentials immediately if compromise is suspected.
