Authentication API Overview


From July 1st 2021, Refresh Tokens are deprecated and not issued anymore as part of the default behavior for authentication. According to the RFC for Client Credentials grant flow, A refresh token SHOULD NOT be included in the response of the auth request. We urge all developers to adjust their clients for this behavior. Currently, we allow for this possibility by passing access_token_only scope while making the Auth request. More details can be found here.

From July 1st 2021, the scope access_token_only will not be required anymore to issue only access tokens as this will become the default behavior for every authentication request.

The Authentication API is used to generate access tokens for use with the zDirectAPI.

The zDirect API uses OAuth 2.0 to authenticate and authorize client access.

Authentication API Scopes

No scopes are required to use the Authentication API.

Many zDirect APIs require clients to have specific permissions or scopes for read or write access. You may assign scopes to your apps in the "Applications" section of the zDirect Portal.

For more information on configuring app scopes, see the Applications section of our zDirect Portal guide.

Access Token Rate Limiting

Each app may only request a limited number of access token requests per minute:

Environment req/min
production 8
sandbox 1

Clients that violate our access token request policies may be rate limited, or even banned. For more information, see Rate Limiting.

Sandbox Behavior

Calls to the Authentication API in the sandbox environment are rate limited to one request per minute. Otherwise, they are handled in the same way as calls made in the production environment.

Note that tokens requested in the production environment cannot be used to make sandbox calls, and vice versa.

For more information, see Sandbox Testing in our Getting Started Guide.

Additional Resources

Contact Support