Skip to main content

Access Modes

You are reading an outdated document

Get the latest developer guides on Fynd Partners Help

When you create an extension there are access modes for the extension during the OAuth flow, you can choose between two access modes: offline and online. This guide describes the differences between online and offline access modes. The appropriate access mode for your token depends on your extension’s use case.

Offline access

Offline is the default access mode when none is specified. Tokens with offline access mode are meant for long-term access to a store, where no user interaction is involved. Offline access mode is ideal for background work in response to webhooks, or for maintenance work in backgrounded jobs.


When offline mode is requested and the extension is not already installed in a company, the user installing the extension must have access to all required scopes or the installation will fail. After the extension is installed on a company, all users with Extension permissions can successfully complete the OAuth flow again, regardless of their permission levels.


Authorizing an extension multiple times with offline access returns the same access token each time. After obtaining offline access to a store, it's necessary to reauthorize an extension only after it has been uninstalled, or when it needs additional access scopes.

Online access

Online access must be explicitly requested during the authorization phase of OAuth. Online access is meant to be used when a user is interacting with your extension through the web, or when an extension must respect an individual user's permission level.


After your extension is installed, requesting this access mode always returns an access token restricted to the scopes available to the user. The extension can inspect scope to determine if a user is lacking certain permissions.


An API request made using an online mode access token is guaranteed to respect the user's individual permissions. Fynd Platform returns a 403 Forbidden status code when the access token is valid but the user does not have access. Extension developers should make sure to handle such responses gracefully. After an access token has expired, Fynd Platform returns a 401 Unauthorized response code.

Best practices

Keep tokens with online access in a user's temporary session storage, backed by a cookie in the user's browser, and make API requests using this access token in response to the user's requests. If your extension implements caching to avoid fetching data from Fynd Platform too often, then make sure to scope the cache to each individual user. Because online access mode is guaranteed to respect each user's permission level, not caching on a per-user basis could result in an inconsistent cache.