> ## Documentation Index
> Fetch the complete documentation index at: https://docs.fourthwall.com/llms.txt
> Use this file to discover all available pages before exploring further.

# OAuth Authentication

> OAuth 2.0 authentication flow for multi-shop apps

If you are looking to build an app that will be used by multiple shops, you will need to use OAuth.

First, create an app by following the instructions in [Apps - Getting started](/apps/getting-started).

Once completed, you will need to know:

1. Your redirect URL
2. Your client ID
3. Your client secret

## Authorize URL

Link your users to this URL to start the login process for your app. Always use `my-shop.fourthwall.com` as the shop URL as this will link to the logged in user's current shop.

You can copy this URL from the OAuth tab of your app. You will need to provide your Client ID in the path (you can get this from your apps settings page), your redirect URL, as well as an optional state parameter.

```
https://my-shop.fourthwall.com/admin/platform-apps/<YOUR_CLIENT_ID>/connect?redirect_uri=<YOUR_URL_ENCODED_REDIRECT_URL>&state=<OPTIONAL_STATE_PARAM>
```

## Getting an access token

After the user has authorized your app, they will be redirected to your redirect URL with an authorization code and the state parameter if you provided one. You will need to exchange this code for an access token.

```bash theme={null}
curl -XPOST https://api.fourthwall.com/open-api/v1.0/platform/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code&redirect_uri=<YOUR_REDIRECT_URL>&client_id=<YOUR_CLIENT_ID>&client_secret=<YOUR_CLIENT_SECRET>&code=<AUTHORIZATION_CODE>"
```

The response will contain an `access_token`, `refresh_token`, and other information.

## Using the access token

```bash theme={null}
curl -XGET https://api.fourthwall.com/open-api/v1/order/{YOUR_ORDER_ID} \
  -H "Authorization: Bearer YOUR_ACCESS_TOKEN"
```

## Refreshing the access token

Access tokens expire rather quickly (within a few minutes). You can use the `refresh_token` to get a new access token without having to re-authorize the user.

```bash theme={null}
curl -XPOST https://api.fourthwall.com/open-api/v1.0/platform/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token&client_id=<YOUR_CLIENT_ID>&client_secret=<YOUR_CLIENT_SECRET>&refresh_token=<YOUR_REFRESH_TOKEN>"
```