Current Customer API

Identifying Logged-In Customers Securely

If your application interacts dynamically with the BigCommerce storefront, and conveys information that is specific to a particular logged-in customer, you must confirm that customer’s identity within the insecure environment of the user’s browser.

To address this need, BigCommerce provides a Current Customer endpoint, which your app can access via JavaScript on the storefront. This endpoint returns a JWT with identifying details about the customer. The information is signed with your OAuth client secret.


  • An App Client ID is required in requests to /customer/current.jwt.
  • To generate an App Client ID, create an App in the BigCommerce Developer Portal.
  • Use the App’s secret to validate the signature on the JWT.
  • The app doesn’t need to be installed or published on a store to utilize the client ID to get the JWT

Example JavaScript

Below is example JavaScript that will access this JWT. To test the JWT functionality, you can install this JavaScript on your sandbox BigCommerce store. Your application’s Client ID must be included in the request (to identify the requesting application):

<script type="text/javascript">
function customerJWT() {
    var appClientId = "**BC_CLIENT_ID**"; // TODO: Fill this in with your app's client ID
    var xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function() {
        if (xmlhttp.readyState == 4 ) {
           if (xmlhttp.status == 200) {
               alert('Customer JWT:\n' + xmlhttp.responseText);
           else if (xmlhttp.status == 404) {
              alert('Not logged in!');
           else {
               alert('Something went wrong');
    };"GET", "/customer/current.jwt?app_client_id="+appClientId, true);

If you are logged into the storefront with a customer account, the above JavaScript should alert to the browser with a JWT token. If no customer is logged in, BigCommerce will return a 404 response, and you will see an error message. The JWT returned from this endpoint (example below) can be decoded on JWT.IO

Example Logged In Customers Response

  "customer": {
    "id": 4927,
    "email": "",
    "group_id": "6"
  "iss": "bc/apps",
  "sub": "abc123",
  "iat": 1480831863,
  "exp": 1480832763,
  "version": 1,
  "aud": "6sv16tfx3j5gsopm42ss5dd67g2srvq",
  "application_id": "6sv16tasdgr2b5hs5dd67g2srvq",
  "store_hash": "abc123",
  "operation": "current_customer"

By design, your application should send this token to the application’s server, validate it against your client secret, and then use it as a trusted indication of the logged-in customer’s identity, before displaying confidential information to them.

An end-to-end example, which displays a customer’s recently purchased products, is available in our Ruby and PHP sample apps.

IAT Claim

The iat claim is only good for 30 seconds.