### For Addons
API is made to create the supplements for the Shoptet system and uses OAuth2
authorization principles.
To access the API it is necessary to implement a web service at your side,
which will communicate with our OAuth server.
In your e-shop administration, which you are using to work with our API, you
must search in the `API Partner` section for the `Access to API` tab.
Here, you will find your clientID and addresses, from where you can call our
OAuth server.
The work with API begins with e-shop addon installation. (The installation
process can be tested in the addon detail in the `Users` section, where you
can cause the installation for your e-shop.)
In your addon detail, in the `Settings` section, enter URL to gain a OAuth
code. The URL must be linked to your server, where the script is prepared,
which is able to gain an OAuth access token.
At this address, you will receive the HTTP request with a GET parameter
`code`, when installing the addon, with unique value (a 255 character long
string).
The `code` provided only has short-term validity and can be used only once.
With this code, request our OAuth server to provide an `OAuth access token`.
Such a request shall follow within the same script that received the `code`.
Do not put off gaining the OAuth access token for a later time, and do not
reply to our request with a `200 OK` status, until you gain the OAuth access
token.
The address for you to call, and an example of implementation, can be found
in e-shop administration in the `Access to API` section.
As a response you will obtain a JSON with your OAuth access token. Save this
token securely. Never send this token to the client computer, and use it
only
for communication between the servers and for gaining the temporary token
for access to API.
If you have successfully received an OAuth access token, your script must
end with the HTTP status code “200”.
Now you have your OAuth access token, which links your addon with a specific
e-shop, perhaps you would like to communicate with the e-shop via API.
From your server, call
`https://<eshop-address.tld>/action/ApiOAuthServer/getAccessToken` address
with HTTP header `Authorization: Bearer <OAuth access token>`.
As the reply, you will receive a JSON containing an API access token value
and the token expiration time value. An example of calling can be found in
e-shop administration in the `Access to API` section.
It is possible to request a maximum of 5 valid tokens.
The API access token will enable you to call an individual URL of our API,
for example `https://api.myshoptet.com/api/eshop`. Send the API access token
in each request in the HTTP header`Shoptet-Access-Token`.
You can have several valid API access tokens available at any one time.
Should the validity of the API access token expire, you will receive a HTTP
status code 401 and message about token expiration.

```

{
    "data": 'null',
    "errors": [
        {
            "errorCode": "expired-token",
            "message": "Token is expired. Please ask for new one.",
            "instance": "unknown"
        }
    ],
    "metadata": {
        "requestId": "019c8c34-64f3-7328-af43-bf1e34fa39d7"
    }
}
```
If your token does not have the access right for a specific endpoint, you
will obtain a reply with HTTP status code 403 Forbidden.

```

{
    "data": 'null',
    "errors": [
        {
            "errorCode": "invalid-token-no-rights",
            "message": "Your access token \"afd..123\" has no defined rights for this resource.",
            "instance": "access-token"
        }
    ],
    "metadata": {
        "requestId": "019c8c34-64f3-7328-af43-bf1e34fa39d7"
    }
}
```