Announcement: You can find the guides for Commerce 7.5 and later on the new Elastic Path Documentation site. This Developer Center contains the guides for Commerce 6.13.0 through 7.4.1.Visit new site

This version of Elastic Path Commerce is no longer supported or maintained. To upgrade to the latest version, contact your Elastic Path representative.



Cortex uses authentication tokens and Apache Shiro to manage access to Cortex resources.

After a customer logs in, the client application uses the end-user credentials to request an authentication token from Cortex. The authentication token allows access to different resources depending on the user's role. For information on how the Cortex uses authentication tokens to allow customers to access its resources, see Cortex Authentication.

Handling roles and permissions on Cortex's side is Apache Shiro, a role-based access control framework (RBAC). Shiro provides a dynamic security model where roles and permissions can be configured at run time. Each of your Cortex API resources has a set of permissions assigned that controls what resource operations a given user is authorized to perform. For information on how the Cortex utilizes Apache Shiro to manage roles and permissions, see Cortex Authorization.