BigCommerce
Getting Started
Authentication
Current Customer API

Current Customer API

Securely identifying signed-in customers

Suppose your application interacts dynamically with a storefront and conveys specific information to a particular signed-in customer. You must confirm that customer's identity within the insecure environment of the user's browser before revealing any sensitive information.

To address this need, BigCommerce provides a Current Customer endpoint that your app can access on the storefront using JavaScript. This endpoint allows a remote application, such as a third-party subscription billing app, to request a JSON web token, or JWT, with identifying customer details. The response is encrypted with your app-level API account's client secret.

API account notes

  • This endpoint requires app API account credentials. For more information about generating accounts, consult the Guide to API Accounts.
  • The app you create doesn't need to be installed or published on a store, and you don't need to generate access tokens. All you need are the client ID and client secret. See the section on client ID-based authentication in the Authentication tutorial.

Request

To test this endpoint, save this Current Customer API example request JavaScript snippet in the storefront's Script Manager, located in the store control panel. Include your app API account's client ID as the value of the app_client_id query parameter.

For more about adding scripts with the UI, see our support article on Using Script Manager (opens in a new tab).

Response

This API call returns a JWT, sent as a plain-text string. See the example response on the tab next to the preceding example request.

Decode the JWT using the client secret from the same app API account as the client ID you sent with the request. We recommend that your browser script send this JWT in a POST request to your server or a Function-as-a-Service (FaaS) that can work securely with your client secret. After your implementation decodes and validates the JWT, you can trust the payload as a source of truth about the signed-in customer's identity. You can now use the payload's customer information to make other API calls and display confidential data to the shopper.

The following code block is an example payload from a decoded Current Customer JWT:

Example payload: Current Customer
{
  "customer": {
    "id": 4927,
    "email": "john.doe@gmail.com",
    "group_id": "6"
  },
  "iss": "bc/apps",
  "sub": "abc123",
  "iat": 1480831863,
  "exp": 1480832763,
  "version": 1,
  "aud": "6sv16tfx3j5gsopm42ss5dd67g2srvq",
  "application_id": "6sv16tasdgr2b5hs5dd67g2srvq",
  "store_hash": "abc123",
  "operation": "current_customer"
}

IAT and EXP claims

Current customer tokens are valid for 15 minutes.

To view the data during development, you can use the JWT decoding tool at jwt.io (opens in a new tab). In production, your implementation should handle decoding the JWT. There are robust packages for most languages that can handle this for you. You can see end-to-end examples that display a customer's recently purchased products in the Ruby (opens in a new tab) and PHP (opens in a new tab) sample apps.

When a shopper is browsing as a guest, the endpoint returns a 404 Not Found HTTP status code and an error message.

On Stencil storefronts, you can check whether any customer is signed in before running the request by wrapping your request in an {{#if customer}} Handlebars Helper.

Resources

Reference

Sample apps

Did you find what you were looking for?