Template Docs Commerce APIs Webhooks
Get Started
Template Docs Commerce APIs Webhooks
Get Started
Getting started
Overview Authentication and permissions Making requests Retrieve basic site information
Using Commerce APIs
Idempotency-Key header Rate limits Responses & error handling Upgrade Changelog Glossary FAQ
Inventory API
Overview GET: Retrieve all inventory GET: Retrieve specific inventory POST: Adjust stock quantities
Orders API
Overview POST: Create an order POST: Fulfill an order GET: Retrieve all orders GET: Retrieve a specific order
Products API
Overview About product attributes Managing attributes POST: Create a product POST: Create a product variant POST: Upload a product image GET: Retrieve all Store Pages GET: Retrieve all products GET: Retrieve specific products GET: Product image upload status POST: Assign a product image to variant POST: Reorder a product image POST: Update a product POST: Update a product variant POST: Update a product image DEL: Delete a product DEL: Delete a product variant DEL: Delete a product image
Profiles API
Overview GET: Retrieve all profiles GET: Retrieve specific profiles
Transactions API
Overview GET: Retrieve all transactions GET: Retrieve specific transactions
Webhook Subscriptions API
Overview POST: Create a webhook subscription POST: Update a webhook subscription GET: Retrieve all webhook subscriptions GET: Retrieve a specific webhook subscription DEL: Delete a webhook subscription POST: Send test notification POST: Rotate a subscription secret

Accessing Squarespace APIs using OAuth 2.0

Squarespace uses OAuth 2.0 to authorize third-party applications to integrate with Squarespace and consume Squarespace APIs.

Terms

ClientThird-party application that needs to make Squarespace API calls.
UserSquarespace customer who wants to integrate their site with a client.
Confirmation pagePage created by Squarespace for the user to authorize (Allow or Deny) client access to their Squarespace account.
Access tokenShort-term token to make authenticated API requests.
Refresh tokenLong-term token to obtain new access tokens.

Instructions

1. Register the client and obtain OAuth 2.0 credentials

Before a client can make Squarespace API calls, the client must be registered with Squarespace as an OAuth client. Submit the following information via this form.

  • Client name
  • Icon image (.png or .svg format, max size 200kb, 1:1 ratio)
  • Redirect URI(s) - For example, https://thirdpartyapp.com/oauth/connect
  • Initiate URL* - For example, https://thirdpartyapp.com/oauth/initiate.
  • Link to Client’s Terms and Conditions
  • Link to Client’s Privacy Policy

*Applies only to Squarespace partner apps. These will be linked from inside Squarespace.

We will review your registration and respond with your_client_id and your_client_secret as soon as possible. These credentials are used in the subsequent steps.

2. Prompt the user to authorize client access

The /authorize URL prompts the user to authorize client access to their Squarespace data and serves as the confirmation page. If a user selects Allow, OAuth 2.0 authentication is started between the client and Squarespace APIs. Append required and any optional parameters to the GET /authorize endpoint; all parameter values should be URL-encoded.

GET https://login.squarespace.com/api/1/login/oauth/provider/authorize

Query parameterRequirementValue
client_idRequiredAlphanumeric value for your_client_id that was supplied by Squarespace in Step 1.
redirect_uriRequiredString; the full redirect URI sent to Squarespace in Step 1.
scopeRequiredString; comma-separated list of client permission values (see below) for API access. The confirmation page always displays website(s) for user selection for scope=website.*

website.ordersSend order data and mark orders as fulfilled.
website.orders.readView order and fulfillment information.
website.transactions.readAccess transactional order and donation data.
website.inventoryView and update inventory stock levels.
website.inventory.readView inventory stock levels.
website.productsView product information and modify products.
website.products.readView product information.

Example:
&scope=website.inventory,website.orders
stateRequiredAlphanumeric random value generated by client. You’ll use it in Step 3, Implement redirect URI, to prevent CSRF attacks.
website_idConditionally RequiredAlphanumeric value for a Squarespace site ID.
When a logged-in user initiates an OAuth connection from Squarespace, this value is appended as a query parameter on the provided initiate URL. Partners must pass this parameter back to the GET /authorize endpoint.
If an OAuth connection is initiated by a logged-out user, Squarespace will not include a website_id parameter on the initiate URL. Partners should not pass any website_id parameter back to the GET /authorizeendpoint in these cases. Instead, the user will be prompted to select a website on the confirmation page.
access_typeOptionalString; use offline for long-term API access. For more information, see Token expiration and long-term access. Omit parameter for short-term API access.

Authorize URL example with parameters

Note: Parameter values are in plain text and not URL-encoded for example purposes.

https://login.squarespace.com/api/1/login/oauth/provider/authorize?client_id=fGBjMDBaUHli&redirect_uri=http://localhost:8090/oauth/callback&scope=website.inventory,website.orders&state=2BsmGS9AAzFppUmcoIagOLj4iKII

3. Implement redirect URI

Both Allow or Deny on the confirmation page directs the user to the client redirect URI (i.e., the redirect_uri specified in Step 2) with query parameters appended by Squarespace. For Allow, the redirect URI should verify the state parameter and match it against state value that was appended for the /authorize endpoint. This verification prevents CSRF attacks. Squarespace doesn’t provide guidelines for Deny implementation.

ParameterValue
errorString; access_denied if user selects Deny on confirmation page. Parameter isn’t appended if user selects Allow.
stateAlphanumeric value; not present if user selects Deny.
codeAlphanumeric value used in step 4. Request access token. Value is initially URL-encoded and should be decoded prior to sending in the access token request. Valid for two minutes and only for one-time use. Not present if user selects Deny.

4. Request access token

POST https://login.squarespace.com/api/1/login/oauth/provider/tokens

The client makes a POST /tokens call with required and any optional parameters for an access token from Squarespace. Access tokens in the response are only valid for 30 minutes. For more information, see Token expiration and long-term access.

Parameters

BodyRequirementValue
grant_typeOptionalString; default is authorization_code; use authorization_code for your first request. For long-term API access, use refresh_token for all subsequent requests.
codeRequired if grant_type=authorization_codeAlphanumeric value of code passed to redirect URI.
redirect_uriRequired if grant_type=authorization_codeString; redirect_uri used for the /authorize endpoint.
refresh_tokenRequired if grant_type=refresh_tokenString; use application/json or application/x-www-form-urlencoded
Header
AuthorizationRequiredFollow the steps below to build the header value:
1. Use your Squarespace OAuth 2.0 credentials to construct a string in the format: your_client_id:your_client_secret
2. Encode the string from Step 1 into base-64
3. Add Basic<space> as a prefix to the encoded string from Step 2

Example
your_client_id: abc123
your_client_secret: 12secret345

Authorization after base-64
Basic YWJjMTIzOjEyc2VjcmV0MzQ1
Content-TypeRequiredString; use application/json or application/x-www-form-urlencoded
User-AgentRequiredString; If you see an error referencing SEC-43, a User-Agent header is missing

Example Response

{
  "token_type": "bearer",
  "access_token": "T1|Rr0Wc95uu3cSeBh06yB...",
  // expires 30 minutes after it’s created ...
  "access_token_expires_at": "1553532363.542",
}

5. Make API requests

After you obtain an access token, you can make API requests.

Endpoint:

https://api.squarespace.com/...

Authorization format:

Bearer<space><access-token-from-tokens-response>

Using the sample response from Step 4, Authorization would have the value:

Bearer T1|Rr0Wc95uu3cSeBh06yB...

Token expiration and long-term access

When a response from POST /tokens is received, access_token is only valid for 30 minutes. For long-term Squarespace API access, the client has to prompt the user to reauthorize using the GET /authorize endpoint or use refresh tokens.

Refresh tokens

To get a refresh token, add access_type=offline as a parameter to the GET /authorize request. When the client makes a POST /tokens call, the response includes refresh_token. Use the refresh token to get new tokens by making another POST /tokens call with the parameters below. The refresh token expires after seven days.

  • grant_type=refresh_token
  • refresh_token=<previous-refresh-token-value>

Note: Each POST /tokens call with a refresh_token parameter results in a new refresh_token and access_token. Refresh tokens are effectively one-time use—the original refresh token is invalidated as soon as the new access token is used. If long-term API access is required, the client should replace the stored refresh token with the most recent refresh_token. Note that obtaining new tokens doesn’t revoke existing access tokens.

Sample response from /tokens:

{
  "token": "T1|Rr0Wc95uu3cSeBh06yB...",
  "token_type": "bearer",

  // expires 30 mins after creation
  "access_token": "T1|Rr0Wc95uu3cSeBh06yB...",
  "access_token_expires_at": "1553532363.542",

  // expires 7 days after creation
  "refresh_token": "1|KYUYh35zcwzx4Zt/oty3...",
  "refresh_token_expires_at": "1554135363.542"
}

Sample use case with refresh tokens

Client has to poll orders from a user site indefinitely and needs to call the Squarespace API once per minute.

  1. User authorizes client access to Squarespace APIs via confirmation page; client makes a POST /tokens call and obtains access and refresh tokens in response.
  2. Client secures and stores the values below for current record (CR):
  • access_token=<at-1>
  • access_token_expires_at=<timestamp>
  • refresh_token=<rt-1>

  1. Prior to each API call, client checks if:

    CR.access_token_expires_at - currentTime > 10 seconds

    If true, client makes an API call with CR.access_token.

    If false, client makes a POST /tokens call with refresh_token=CR.refresh_token as a parameter for new access and refreshntokens; client stores new token values in CR:

    • access_token=<at-2>
    • access_token_expires_at=<timestamp>
    • refresh_token=<rt-2>

  2. Client repeats Steps 2 and 3 indefinitely.

Invalid tokens and revoking access

Tokens become invalid in two ways: the tokens expire or the user revokes client access from the Squarespace UI. In either case, the user has to reauthorize client access to get new access tokens.

When an access token is invalid, Squarespace responds to API requests with 401 Unauthorized. If a client receives a 401, they should notify the user that their Squarespace integration requires reauthorization.