Daalder uses the password and client credentials grant types for API authentication, and the Bearer Token authorization on the API requests. Under the hood, we employed the Laravel Passport library, as it provides well-designed and fully tested OAuth2 authentication flow to keep your Daalder application secure.

Postman collection

You can find Authentication request examples in the Authentication section of the Postman collection.

Grant types

We'll describe the grant types used around Daalder below. If you need to know more about the grant types, their concepts and common usages, you can read the Laravel Passport documentation.


The password grant type is used whenever a real user should authenticate. If you want to let your customer (or store admin) login, you should use the password grant type.

Client credentials

The client credentials grant is used for machine-to-machine authentication, without the necessity to use passwords. You should use the client credentials grant type when connecting a service (e.g. your frontend), or a third-party service to your Daalder application.


Authentication header

When requesting API endpoints that should be kept away from unauthorized access (e.g. order listings for shop owners, etc.), your client should pass an Authorization header as following:

Authorization: Bearer <accessToken>

regardless of the grant type used.

Requesting tokens

To request a token, make a POST request on the /oauth/token endpoint with the following parameters:


The following part is exactly what the Swagger auto-generated documentation provides, and I strongly suggest to use it for the performance reasons ;)

Parameter Grant type Value
grant_type client_credential, password client_credentials for the client credentials grant type
password for the password grant type
client_id client_credential, password Your client unique identifier (e.g. 3)
client_secret client_credential, password Your client secret token
scope client_credential, password API authorization scope
username password API user name
password password API user password

Sample request

Your API request might look like the following:

$response = $client->request('POST', 'https://{your-hash}', [
    'json' => [
        'grant_type' => 'client_credetials',
        'client_id' => 3,
        'client_secret' => '...',
        'scope' => '*'
]);'https://{your-hash}', [
    grant_type: 'client_credentials',
    client_id: 3,
    client_secret: '...',
    scope: '*'
]).then(response => {

Server response

The server will return a JSON-response that will contain the access token (access_token, refresh_token and expires attributes):

    "access_token": "ey...",
    "refresh_token": "ey...",
    "expires": 240