Salla OAuth 2.0 Client Provider for The PHP League OAuth2-Client

1.4.0 2022-03-30 10:44 UTC



Salla OAuth 2.0 Client

This package provides Salla OAuth 2.0 support for the PHP language OAuth 2.0 Client.
Explore our blogs »

Report Bug · Request Feature · </Salla Developers>


To use this package, it will be necessary to have a Salla client ID and client secret. These are referred to as {client-id} and {client-secret} in the documentation.

Please follow the Salla instructions to create the required credentials.

OAuth Workflow

OAuth Workflow


You can install the package via composer:

composer require salla/ouath2-merchant

(back to top)


Authorization Code Flow


require_once './vendor/autoload.php';

use Salla\OAuth2\Client\Provider\Salla;

$provider = new Salla([
    'clientId'     => '{client-id}', // The client ID assigned to you by Salla
    'clientSecret' => '{client-secret}', // The client password assigned to you by Salla
    'redirectUri'  => '', // the url for current page in your service

 * In case the current callback url doesn't have an authorization_code
 * Let's redirect the merchant to installation/authorization app workflow
if (empty($_GET['code'])) {
    $authUrl = $provider->getAuthorizationUrl([
        'scope' => 'offline_access',
        //Important: If you want to generate the refresh token, set this value as offline_access

    header('Location: '.$authUrl);

 * The merchant complete the installation/authorization app workflow
 * And the callback url have an authorization_code as parameter
 * Let's exchange the authorization_code with access token
try {
    $token = $provider->getAccessToken('authorization_code', [
        'code' => $_GET['code']

    // ## Access Token
    // You should store the access token
    // which may use in authenticated requests against the Salla's API
    echo 'Access Token: '.$token->getToken()."<br>";

    // ## Refresh Token
    // You should store the refresh token somewhere in your system because the access token expired after 14 days,
    // so you can use the refresh token after that to generate a new access token without asking any access from the merchant
    // $token = $provider->getAccessToken(new RefreshToken(), ['refresh_token' => $token->getRefreshToken()]);
    echo 'Refresh Token: '.$token->getRefreshToken()."<br>";

    // ## Expire date
    // This helps you to know when the access token will be expired
    // so before that date, you should generate a new access token using the refresh token
    echo 'Expire Date : '.$token->getExpires()."<br>";

    // ## Merchant Details
    // Using the access token, we may look up details about the merchant.
    // --- Same request in Curl ---
    // curl --request GET --url '' --header 'Authorization: Bearer <access-token>'

    /** @var \Salla\OAuth2\Client\Provider\SallaUser $user */
    $user = $provider->getResourceOwner($token);

     *  {
     *    "id": 1771165749,
     *    "name": "Test User",
     *    "email": "",
     *    "mobile": "+966500000000",
     *    "role": "user",
     *    "created_at": "2021-12-31 11:36:57",
     *    "merchant": {
     *      "id": 1803665367,
     *      "username": "dev-j8gtzhp59w3irgsw",
     *      "name": "dev-j8gtzhp59w3irgsw",
     *      "avatar": "",
     *      "store_location": "26.989000873354787,49. 62477639657287",
     *      "plan": "special",
     *      "status": "active",
     *      "domain": "",
     *      "created_at": "2021-12-31 11:36:57"
     *    }
     *  }

    echo 'User ID: '.$user->getId()."<br>";
    echo 'User Name: '.$user->getName()."<br>";
    echo 'Store ID: '.$user->getStoreID()."<br>";
    echo 'Store Name: '.$user->getStoreName()."<br>";

    // 🥳
    // You can now save the access token and refresh the token in your database
    // with the merchant details and redirect him again to Salla dashboard (

    // ## Access to authenticated APIs for the merchant
    // You can also use the same package to call any authenticated APIs for the merchant
    // Using the access token, information can be obtained from a list of endpoints.
    // --- Same request in Curl ---
    // curl --request GET --url '' --header 'Authorization: Bearer <access-token>'
    $response = $provider->fetchResource(


} catch (\League\OAuth2\Client\Provider\Exception\IdentityProviderException $e) {
    // Failed to get the access token or merchant details.
    // show an error message to the merchant with good UI

(back to top)

Refreshing a Token

Refresh tokens are only provided to applications that request offline access. You can specify offline access by passing the scope option in your getAuthorizationUrl() request.

use Salla\OAuth2\Client\Provider\Salla;

$provider = new Salla([
    'clientId' => '{client-id}',
    'clientSecret' => '{client-secret}',

$refreshToken = 'FromYourStoredData';
$token = $provider->getAccessToken('refresh_token', ['refresh_token' => $refreshToken]);


composer test

(back to top)


The team is always here to help you. Happen to face an issue? Want to report a bug? You can submit one here on Github using the Issue Tracker. If you still have any questions, please contact us via the Telegram Bot or join in the Global Developer Community on Telegram.


Contributions are what make the open-source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated.

If you have a suggestion that would make this better, please fork the repo and create a pull request. You can also simply open an issue with the tag "enhancement". Don't forget to give the project a star! Thanks again!

  1. Fork the Project
  2. Create your Feature Branch (git checkout -b feature/AmazingFeature)
  3. Commit your Changes (git commit -m 'Add some AmazingFeature')
  4. Push to the Branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

(back to top)


If you discover any securitys-related issues, please email instead of using the issue tracker.



The MIT License (MIT). Please see License File for more information.

(back to top)