Area: Optimizely B2B Commerce

Using Fiddler to interact with the B2B Commerce API

Recommended reading 

In order to make calls to the B2B Commerce API, the client must be configured with Identity Server with a client id, secret, and scope. Although it is possible to use developer tools within the browser to harvest the access token from B2B Commerce requests, it really isn't a viable solution for production. The recommendation is to create a client within Identity Server.


  • Fiddler installed
  • Visual Studio installed
  • SDK installed

Overview of Steps:

  1. Add client to Identity Server
  2. Configure client for Identity Server
  3. Use the client to interact with the API

Detailed steps:

  1. In Visual Studio, open the SDK solution.
  2. In the Web project, add a reference to ~\Lib\IdentityServer3.EntityFramework.dll.

    NOTE: Do not use Nuget to install IdentityServer3.EntityFramework because there are some version dependencies that are deployed along with the SDK.
  3. Open the ~\Epi B2B Commerce.Web\App_Start\Startup.cs file.
  4. Add the following using statements to the top of the file.
    using IdentityServer3.Core;
    using IdentityServer3.Core.Models;
    using IdentityServer3.EntityFramework;
    using IdentityServer3.EntityFramework.Entities;
  5. Add the following code to the "PostStartup" method. This code will create a connection to the database and add a new Identity Server client called "Fiddler".

    ClientName: Fiddler

    ClientId: fiddler

    ClientSecret: secret

    var efConfig = new EntityFrameworkServiceOptions
        ConnectionString = "InSite.Commerce"
    using (var db = new ClientConfigurationDbContext(efConfig.ConnectionString, efConfig.Schema))
        if (!db.Clients.Any(c => c.ClientId == "fiddler"))
            db.Clients.Add(new IdentityServer3.EntityFramework.Entities.Client
                ClientName = "Fiddler",
                ClientId = "fiddler",
                Enabled = true,
                RefreshTokenUsage = TokenUsage.OneTimeOnly,
                EnableLocalLogin = true,
                PrefixClientClaims = true,
                IdentityTokenLifetime = 360,
                AccessTokenLifetime = 3600,
                AuthorizationCodeLifetime = 300,
                AbsoluteRefreshTokenLifetime = 86400,
                SlidingRefreshTokenLifetime = 43200,
                AccessTokenType = AccessTokenType.Jwt,
                ClientSecrets = new List<ClientSecret>
                    new ClientSecret
                        Value = "secret".Sha256(),
                        Type = Constants.SecretTypes.SharedSecret
                AllowedScopes = new List<ClientScope>
                    new ClientScope
                        // This is the Storefront API scope. You can also use SecurityOptions.AdminScope to access the Admin API.
                        Scope = SecurityOptions.Scope
                Flow = Flows.ResourceOwner
  6. Rebuild the solution.
  7. Open Fiddler and navigate to the request Composer.
  8. Change the HTTP verb to "POST" and the URL to the Identity authentication endpoint of your installed Optimizely Commerce application (e.g. http://431sdk.local.com/identity/connect/token).
  9. The "Authorization" header used to authenticate with Identity Server needs to be encoded using Base64. The decoded format for the header value is {clientid:clientsecret}. In this example, the decoded value is "fiddler:secret". To encode the client id and client secret in Fiddler, use the TextWizard. Be sure the transform operation is set to "To Base64".
    Fiddler Text Wizard

  10. Copy the following headers to the request in Fiddler. Be sure to replace the "Authorization" header value with "Basic {encoded value you created earlier}".

    Accept: application/json, text/plain, */*
    Authorization: Basic ZmlkZGxlcjpzZWNyZXQ=
    Content-Type: application/x-www-form-urlencoded
  11. In the body of the request, use a querystring to include user credentials, grant type, and scope. The user credentials need to be for a Storefront user for the B2B application. For example, grant_type=password&username=admin&password=Password1&scope=iscapi.
    Fiddler Parsed

  12. Execute the request.
  13. Validate the operation by confirming a 200 status for the response. The response should include the access token needed to make authenticated calls to the API.
    Fiddler Token Response

    HTTP/1.1 200 OK
    Cache-Control: no-store, no-cache, max-age=0, private
    Pragma: no-cache
    Content-Length: 966
    Content-Type: application/json; charset=utf-8
    Server: Microsoft-IIS/8.5
    X-Powered-By: ASP.NET
    p3p: policyref="/w3c/privacy.htm", CP="NOI DSP COR NOR UNI STA"
    Date: Fri, 04 Sep 2015 15:56:17 GMT
  14. To make requests to the API using the access token, simply change the "Authorization" header value to "Bearer {access token from identity response}".
  15. Back in Fiddler, send a request to /api/v1/sessions/current. If the bearer token is set up correctly, you should receive a 200 status and a session object in the response.


Do you find this information helpful? Please log in to provide feedback.

Last updated: Dec 11, 2020

Recommended reading