Get Started
Developer Guide

For Individuals and Businesses

For Third-Party Aggregators

Authorization Methods

API Endpoints

Order API

Place Orders

POST

Get Order

GET

Pricing API

Price Items

POST

Account API

Search Accounts

POST

Get Sold-To

GET

Get Bill-To

GET

Get Ship-To

GET

Get Ship-To Contacts

GET

Product API

Search Items

POST

Get Item

GET

Search Item Availability

POST

Get Item Availability

GET

Get Product Hierarchy

GET

Location API

Search Branches

GET

Get Branch

GET

Notification API

Register Webhook

POST

Get Webhooks

GET

Get Webhook

GET

Update Webhook

PATCH

Unregister Webhook

DELETE

Developer Guide

Use the Developer Guide to find the onboarding process steps, information about authentication methods, and a comprehensive list of the available ABC API endpoints.

Developer GUide

Authorization Methods

Sandbox
Resource:

POST

https://sandbox.auth.partners.abcsupply.com/oauth2/aus1vp07knpuqf6Xz0h8

Production
Resource:

POST

https://auth.partners.abcsupply.com/oauth2/ausvvp0xuwGKLenYy357

Grant Type Decision Guide

Depending on the requirements of your application, you will want to utilize different OAuth 2.0 grants to authorize access to the connect partner endpoints. Below is a decision guide:

Note: Different scopes are valid for Authorization Code vs Client Credentials grant types. Use the chart above in conjunction with the desired scopes to determine what grants should be used for your purposes.

Authorization Code

The authorization code flow is required when your application is taking actions on behalf of an ABC Supply customer.

This flow has the following steps:

  1. Your application requests an authorization code from the authorization server.
  2. The auth server presents an authentication prompt to the user’s browser.
  3. The user signs in with their ABC Supply credentials and and provides consent.
  4. The browser receives an authorization code from the authorization server (Okta) after the user is authenticated. The authorization code is passed to your app.
  5. Your app sends this code and the client secret to the authorization server.
  6. The authorization server returns an access token, and optionally a refresh token.
  7. Your app can now use these tokens to call the connect partner API on behalf of the user.
  8. The Connect Partner API validates the token before responding to the request.

Example Authorization Request for Production

https://auth.partners.abcsupply.com/oauth2/ausvvp0xuwGKLenYy357/v1/authorize?client_id={client_id}
&response_type=code
&redirect_uri={app_redirect_uri}
&state={random_string}
&scope=pricing.read order.read order.write product.read account.read location.read offline_access
Expand

Example Token Request for Production

curl -Ss -X POST https://auth.partners.abcsupply.com/oauth2/ausvvp0xuwGKLenYy357/v1/token 
-H 'Authorization: Basic {authorization_value}' 
-H 'Content-Type: application/x-www-form-urlencoded' 
-d 'grant_type=authorization_code
&redirect_uri={app_redirect_uri}
&code={code_returned_from_authorization_request}'
Expand

Example Refresh Token Request for Production

curl -Ss -X POST https://auth.partners.abcsupply.com/oauth2/ausvvp0xuwGKLenYy357/v1/token 
-H 'Authorization: Basic {authorization_value}' 
-H 'Content-Type: application/x-www-form-urlencoded' 
-d 'grant_type=refresh_token
&refresh_token={refresh_token_issued}'
Expand

Available Scopes

Scope Name

Description

location.read

Allows access to the location API

product.read

Allows access to the products API

account.read

Allows access to the accounts API

pricing.read

Allows access to the pricing API

order.read

Allows access to the Order API (GET Endpoint)

order.write

Allows access to the Order API (POST Endpoint)

offline_access

Allows Refresh Token to be sent back by the token endpoint

Authorization Code with PKCE

At a high level, the flow has the following steps:

  1. Your application generates a code verifier followed by a code challenge. See Create the proof key for code exchange.
  2. Your app requests an authorization code from the authorization server (Okta). The request contains the generated code challenge.
  3. The auth server presents an authentication prompt to the user’s browser.
  4. The user signs in with their ABC Supply credentials and and provides consent.
  5. Okta redirects back to your application with an authorization code.
  6. Your application sends this code, along with the code verifier, to Okta. See Exchange the code for tokens.
  7. The authorization server evaluates the PKCE code.
  8. The authorization server returns an access token, and optionally a refresh token.
  9. Your app can now use these tokens to call the connect partner API on behalf of the user.
  10. The Connect Partner API validates the token before responding to the request.

Example Authorization Request for Production

https://auth.partners.abcsupply.com/oauth2/ausvvp0xuwGKLenYy357/v1/authorize?
&client_id={client_id}
&response_type=code
&redirect_uri={app_redirect_uri}
&state={random_string}
&scope=pricing.read order.read order.write product.read account.read location.read offline_access
&code_challenge={base_64_encoded_sha_256_of_code_verifier}
&code_challenge_method=S256
Expand

Example Token Request for Production

curl -Ss -X POST https://auth.partners.abcsupply.com/oauth2/ausvvp0xuwGKLenYy357/v1/token 
-H 'Authorization: Basic {authorization_value}' 
-H 'Content-Type: application/x-www-form-urlencoded' 
-d 'grant_type=authorization_code
&redirect_uri={app_redicrect_uri}
&code=p2vgMVEapP8NPyH6g5zd5m7Z03DeijNkadQFwJd5FGg
&code_verifier={random_string_generated_by_client}'
Expand

Example Refresh Token Request for Production

curl -Ss -X POST https://auth.partners.abcsupply.com/oauth2/ausvvp0xuwGKLenYy357/v1/token 
-H 'Authorization: Basic {authorization_value}' 
-H 'Content-Type: application/x-www-form-urlencoded' 
-d 'grant_type=refresh_token
&refresh_token={refresh_token_issued}'
Expand

Available Scopes

Scope Name

Description

location.read

Allows access to the location API

product.read

Allows access to the products API

account.read

Allows access to the accounts API

pricing.read

Allows access to the pricing API

order.read

Allows access to the Order API (GET Endpoint)

order.write

Allows access to the Order API (POST Endpoint)

offline_access

Allows Refresh Token to be sent back by the token endpoint

Client Credentials

The Client Credentials flow is used when client applications request an access token on behalf of the application itself.

At a high level, the flow has the following steps:

  1. Your client application makes an authorization request to the authorization server using its client credentials.
  2. The authorization server responds with an access token if the request credentials are accurate.
  3. Your app uses the access token to make authorized requests to the resource server.
  4. The resource server validates the token before responding to the request.

The {authorization_value} in the request is the Base64 value of the client id and client secret provided during registration with ABC API, separated by a colon:

Base64(<client_id>:<client_secret>)

Example Token Request for Production

curl -Ss -X POST \
https://auth.partners.abcsupply.com/oauth2/ausvvp0xuwGKLenYy357/v1/token \
-H 'Authorization: Basic {authorization_value}' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=client_credentials&scope=location.read product.read notification.read notification.write'
Expand

Note: There is no authorization or refresh token call with the client_credentials flow.

Available Scopes

Scope Name

Description

location.read

Allows access to the location API

product.read

Allows access to the products API

notification.read

Allows access to the Notification API (GET endpoint)

notification.write

Allows access to the Notification API (POST/Delete endpoints)

Token Lifetimes

Access Tokens

Access tokens have a lifetime of 30 minutes. After 30 minutes, the refresh token (valid only for auth code flows) will need to be used to get a new access token and new refresh token.

Refresh Tokens

Refresh tokens have an infinite lifetime as long as they continue to be refreshed. If 7 days pass without the refresh token being used, the user will have to go through the authorization flow again to gain a new access and refresh token.

Authorization Methods

Grant Type Decision Guide

Authorization Code

Authorization Code with PKCE

Client Credentials

Token Lifetimes