When integrating with the Emporix Commerce Engine, authentication and authorization are among the first topics developers need to understand in order to ensure secure access to the platform for internal users, customers, APIs, and integrations between systems. During implementation, you may face several design questions—for example, choosing between native customer authentication and/or integrating an external identity provider (such as Keycloak or Auth0), deciding how to manage token lifecycles, or determining how backend services securely obtain and store service tokens. Planning these aspects early helps avoid common integration challenges.
Emporix provides built-in solutions as well as support for external tools that handle authentication and authorization of users and services.
For accessing platform APIs, Emporix uses token-based authentication, where applications obtain access tokens and include them in API requests. Service tokens can be restricted to specific scopes to ensure the appropriate level of security. This enables system-to-system integrations and smooth backend operations.
Emporix provides different authentication approaches for different user types. Customers follow storefront authentication flows that support anonymous sessions, customer login, and token refresh. Emporix also supports Single Sign-On (SSO), enabling organizations to integrate corporate identity providers and allow customers to log in with their existing credentials. Companies can implement either the SSO authorization code flow or the SSO token exchange flow, depending on their existing authentication mechanisms, scale, and requirements. The token exchange setup allows authentication to happen outside of Emporix, while the platform still issues relevant access tokens for customers.
For internal employee users, authentication and authorization are supported through user group management. User groups share specific access controls and roles, which are applied to APIs through token scopes.
Designing these aspects can be complex. The Emporix documentation provides detailed guides and API references for different authentication scenarios, including token generation, customer login flows, SSO configuration, and identity provider integrations. Developers are encouraged to explore the documentation for step-by-step instructions and implementation details:
We hope this helps you plan and build secure and scalable solutions that work seamlessly for both customer-facing and internal use cases.