Daalder uses the password and client credentials grant types for API authentication, and the Bearer Token authorization for API requests. Under the hood, we employ the Laravel Passport library, as it provides well-designed and fully tested OAuth2 authentication flow to keep your Daalder application secure.

Postman collection

You can find Authentication request examples in the Authentication section of the Postman collection.

Grant types

The grant types used in Daalder are described below. If you need to know more about grant types, their concepts and common usages, you can read the Laravel Passport documentation.


The password grant type is used whenever a real user should authenticate. If you want to let your customer (or store admin) log in, you should use the password grant type.

Client credentials

The client credentials grant type is used for machine-to-machine authentication, without the necessity to use passwords. You should use the client credentials grant type when connecting a service (e.g. your frontend or a third-party service) to your Daalder application.


Authentication header

When requesting API non-public endpoints (e.g. order listings for shop owners, etc.), your client should pass an Authorization header (regardless of the grant type used) as following:

Authorization: Bearer <accessToken>

Requesting tokens

To request a token, make a POST request on the /oauth/token endpoint with the following parameters:

Parameter Grant type Value
grant_type client_credential, password client_credentials for the client credentials grant type
password for the password grant type
client_id client_credential, password Your client unique identifier (e.g. 3)
client_secret client_credential, password Your client secret token
scope client_credential, password API authorization scope
username password API user name
password password API user password

Sample request

Your API request might look like the following:

$response = $client->request('POST', 'https://{your-hash}', [
    'json' => [
        'grant_type' => 'client_credetials',
        'client_id' => 3,
        'client_secret' => '...',
        'scope' => '*'
]);'https://{your-hash}', [
    grant_type: 'client_credentials',
    client_id: 3,
    client_secret: '...',
    scope: '*'
]).then(response => {

Server response

The server will return a JSON-response containing the access token, refresh token, and expires attribute:

    "access_token": "ey...",
    "refresh_token": "ey...",
    "expires": 240

Authenticated clients

API calls

Endpoint: /auth-clients

Endpoint Method Payload
/auth-clients GET
/auth-clients/:client GET
/auth-clients POST client payload
/auth-clients/:client PUT
/auth-clients/:client DELETE

Authenticated client payload
    user_id*: int


© 2022 Daalder. All rights reserved.