Getting Ready to Obtain a BigCommerce API Access Token

With Bigcommerce moving their API to an Oauth 2.0 authentication system there are key pieces that app developers must setup prior to obtaining an access token. The Bigcommerce API requires three callback URLs: the authentication URL, uninstall URL, and load URL. Each one of these URLs must be hosted on your web server and handled by a server side script which intakes the data from the Bigcommerce API HTTP GET request.

The authorization callback URL must be able to handle a GET request containing the store code, scope and context as outlined in the Bigcommerce API documentation. Then taking in that data you must do a HTTP POST back to Bigcommerce with the client id, client secret, code, scope, grant type, redirect URI, and context. You can either use your own method to post back or use one of the unofficial Bigcommerce API libraries. If you do not know how to retrieve your client id and secret then view my how-to article. If everything was done correctly with the correct credentials then Bigcommerce will send you back an access token.

In order for users to uninstall your app Bigcommerce requires developers to implement an uninstall URL. This server side script must be able to handle a GET request containing a signature and an encoded json object containing the user id, email and store hash. Then with this information you must remove the user’s account information from your system.

Lastly you need a load callback URL. When a user goes to use your app in their control panel it will signal a load callback which tells Bigcommerce to perform a GET request with a signed payload, much like the uninstall callback. The payload is exactly the same as the uninstall callback; however instead of uninstalling you must create a session on your server to interact with your app and keep track of relevant user actions.

Try setting up all three call back URLs locally and testing them before trying to gain authorization. Once you have everything working on a local machine and tested on your web server, then you are ready for a live test. If you have additional questions feel free to ask us in the comments or visit the Bigcommerce API developer page for more information.

Reader Interactions


  1. Indrajit Rathod says

    Its a great article. It has helped a lot in understanding the callback urls.

    We are testing for the uninstall callback url as install callback url works perfectly fine but strangely whenver the app is uninstalled it is never hitting the uninstall callback url, the same is the case with load url. We are still searching for the possible issues but havent found yet.

    The url is publicly available and is served over SSL. Do you have any idea why this might be happening?

    Any help will be appreciated.


  2. Joe Cruz says

    Thanks for a great article. It has helped us quite a bit. We are still wrestling with where the POST request originates from. Is this baked into the html that is returned in the authorization callback URL.

    Does Bigcommerce provide libraries that can be used to make the POST call?

    We see that the “Confirm” button on the marketplace triggers a POST command, is this what originates the POST call that returns the token and eventually finalizes that app install in an individual store.

    Appreciate thoughts you can share about how to correctly perform the POST portion of this process. We are wrestling with CORS issues when calling it from within the html that we are providing.


    • says

      So the general flow is as follows:
      – Bigcommerce makes a GET (when they hit confirm) request to your Auth Callback URI say: /oauth
      – Your script takes the information detailed in the documentation: code, scope, context
      – Your script process it and then POST back client_id, client_secret…etc as labeled in the documentation
      – Bigcommerce receives this and “installs” the app and POST back the access token which you need to store

      Bigcommerce does not have a library for authenticating so far as I know, however they do have a library to interface with the API via Oauth.
      For documentation visit:

      If you are unsure on how to POST in general I would visit stackoverflow or view your programming language documentation.

Leave a Reply

Your email address will not be published. Required fields are marked *

We use cookies to enhance your experience. By continuing to visit this site, you agree to our use of cookies. Click here for more information.