Authentication Overview

oauth-flow

Manifold Marketplace-as-a-Service uses the OAuth 2.0 protocol for authorization. In our OAuth2 implementation, Manifold obtains limited access to your user accounts by delegating user authentication to your platform. It's important to understand that Manifold acts as a third-party application installed by your end users. Once your platform has authenticated an end user, Manifold trusts the end user and allows the user to access Manifold’s embedded marketplace.

As a third-party application requiring access to your platform, Manifold must be registered to use your OAuth server. During this registration process, you assign Manifold a client ID and client secret. Manifold uses this secret to obtain an access token for each authenticated end user.

To provide a white-labeled marketplace integration, Manifold embeds an invisible iframe into the components of your platform’s dashboard. This iframe uses OAuth 2.0 to transparently authenticate your end users. A white-labeled integration therefore requires you to enable transparent authorization as explained in this guide.

Once an end user is authenticated, a short-lived opaque auth token is created for the user and sent to all other web components to make requests to our GraphQL API. After verifying this auth token, Manifold uses it to fetch the end user's information and can be used to make internal service calls.

Implementing authorization for an embedded Manifold marketplace requires a standard OAuth 2.0 flow, as well as some additional configuration required by the Manifold model, as explained in this guide.

Once everything is set up, here’s how the end-to-end authorization process works:

  1. An end user accesses the Manifold Marketplace that’s embedded in your platform.
  2. Manifold sends a request to your platform to authorize this end user.
  3. Your platform transparently accepts this authorization request.
  4. Your OAuth server returns a short-lived authorization token for the end user.
  5. Manifold verifies the auth token.
  6. Manifold uses the client secret to exchange the auth token for an access token.
  7. The access token is used to make calls to Manifold’s GraphQL API, to carry out end-user actions in the marketplace.