Authentication
Authentication is a crucial step when using Fynd APIs in a headless setup because it ensures that only authorized users and applications can access sensitive data and perform actions on your account.
When using Fynd APIs in a headless setup, authentication differs for application and company APIs:
Step to Collect Credentials
You can obtain your Application ID, Application Token, and Client credentials from the Fynd Commerce panel. Follow the steps below:
- Log in to your Fynd Commerce account.
- Select the company whose credentials you need.
- Go to Company → Developers:
- In the Application Token tab, find the Application ID and Application Token for each application (sales channel) in the selected company.
- In Clients, view existing clients or click Create Client to create one and assign the required permissions/scopes.
1. Application APIs
Use a static Base64-encoded token built from {application_id}:{application_token}.
Steps
-
Generate the Base64-encoded string:
base64TokenString=$(echo -n {application_id}:{application_token} | base64)Example:
base64TokenString=$(echo -n 6717546128e3d94e7396b7fc:CMZYmnONn | base64)
The Base64-encoded token generated from your Application ID and Application Token does not expire and has no time-to-live (TTL).
- You do not need to refresh or regenerate this token.
- No polling or renewal mechanism is required.
-
Print the encoded token string and save it for later use:
echo "$base64TokenString"
The base64TokenString token will be used in the Authorization header (Bearer) when calling Application APIs.
Example
In this example, we list all available product categories for a company. The token below is the Base64-encoded application_id:application_token generated as shown in the previous steps.
curl -X GET "https://api.fynd.com/service/application/catalog/v1.0/categories/" \
-H 'Authorization: Bearer Nab1ABI2NGE5NDEyNjA1MjliZjgwABC6WXBvdHM3ABCd'
Response:
{
"departments": [
{
"slug": "fashion",
"uid": 21
}
...
],
"data": [
{
"department": "fashion",
"items": [
{
"name": "Footwear",
"banners": {
"portrait": {
"type": "image",
"url": "https://cdn.fynd.com/v2/falling-surf-7c8bb8/fyprod/wrkr/category/pictures/portrait-banner/original/BLbXJ_rDX6-12038_8d906382a50f47f1a3dcb7f929e472cd.jpeg"
},
"landscape": {
"type": "image",
"url": "https://cdn.fynd.com/v2/falling-surf-7c8bb8/fyprod/wrkr/category/pictures/landscape-banner/original/qFB5eMRop3-12037_06137df1cc274dbca49e8a724037c551.jpeg"
}
},
"slug": "footwear",
"_custom_json": {},
"action": {
"page": {
"type": "products",
"query": {
"category": [
"footwear"
],
"department": [
"fashion"
]
}
},
"type": "page"
},
"priority": 3,
"uid": 14
}
]
}
...
]
}
2. Platform APIs
To call a Platform API, you need a valid access token created using your client credentials.
An access token obtained through the client credentials flow is limited to accessing data from the single company associated with the credentials used to generate it.
Steps
-
Generate a Base64-encoded string from
{client_id}:{client_secret}:base64TokenString=$(echo -n {client_id}:{client_secret} | base64)Example:
base64TokenString=$(echo -n 6894b6cb7332800685f57f4d:K3BxzpdrXGNpVaE | base64) -
Print the encoded token string and save it for later use:
echo $base64TokenString -
Add the encoded token string and run the folloing cURL to get the authorization token:
curl -X POST "https://api.fynd.com/service/panel/authentication/v1.0/company/{company_id}/oauth/token" \
-H "Authorization: Basic {base64TokenString}" \
-H 'Content-Type: application/json' \
-d '{"grant_type":"client_credentials"}'Example:
curl -X POST "https://api.fynd.com/service/panel/authentication/v1.0/company/1234/oauth/token" \
-H "Authorization: Basic Abc5NGI2Y2I3MzMyODAwNjg1ZjU3ZjRkOkszQnh6cGRyWEdOcFZhRQ==" \
-H 'Content-Type: application/json' \
-d '{"grant_type":"client_credentials"}'Response:
{
"access_token": "oa-12c45cef45307fd03d4655bf29fd151c123ba123",
"token_type": "Bearer",
"expires_in": 3599,
"expires_at": 1758548418.967,
"scope": [
"company/*",
"company/application/*"
]
}expires_in: Access token TTL is ~1 hour; the response specifies the exact lifetime in seconds.
noteThe access token will be used in the
Authorizationheader (Bearer) to call Platform APIs.
Example
In this example, we retrieve a list of categories associated with a specific company:
curl -X GET "https://api.fynd.com/service/platform/configuration/v1.0/company/1234/application" \
-H "Authorization: Bearer oa-12c45cef45307fd03d4655bf29fd151c123ba123"
Response:
{
"page": {
"current": 1,
"type": "number",
"size": 20,
"has_previous": false,
"has_next": true,
"item_total": 4378
},
"items": [
{
"departments": [
43
],
"priority": 101,
"created_on": "2025-09-22T11:23:07.971000",
"created_by": {
"user_id": "1234f8de372aa2cad086ff12",
"username": "abc@fynd.com"
},
"level": 3,
"slug": "spf-sunscreens",
"synonyms": [],
"modified_on": "2025-09-22T11:25:32.464000",
"uid": 4671,
"marketplaces": {},
"is_active": true,
"media": {
"landscape": "https://cdn.fynd.com/v2/falling-surf-7c8bb8/fyprod/wrkr/category/pictures/landscape-banner/original/zlC2ofXiz-landscape.png",
"logo": "https://cdn.fynd.com/v2/falling-surf-7c8bb8/fyprod/wrkr/category/pictures/square-logo/original/2awBXA7ul-logo.png",
"portrait": "https://cdn.fynd.com/v2/falling-surf-7c8bb8/fyprod/wrkr/category/pictures/portrait-banner/original/WLxCL42sX-banner.png"
},
"modified_by": {
"user_id": "1234f8de372aa2cad086ff12",
"username": "abc@fynd.com"
},
"hierarchy": [
{
"l1": 665,
"l2": 4499,
"department": 43
}
],
"name": "SPF Sunscreens",
"tryouts": [],
"_id": "68d112312346187019049757",
"id": "68d1234b1234567890049757"
},
...
]
}