Authenticating BigCommerce’s REST APIs
On This Page
Two types of API credentials are available to developers wishing to make requests against BigCommerce’s REST APIs:
- Store API Credentials (created in a store’s control panel)
- App API Credentials (created in the Developer Portal)
Store API Credentials are generated when a Store API Account is created in a store’s control panel (Advanced Settings > API Accounts). These credentials are used to programmatically interact with an individual store’s data using BigCommerce’s APIs. Both OAuth and token-based authentication are possible with Store API Credentials
Developers can also create App API Credentials in the BigCommerce Developer Portal. App API Credentials are used during the OAuth flow to request authorization “on behalf” of a store owner, allowing the app to make API requests against store data. App API Credentials are OAuth only, and the store owner must install the app before the app is granted access to the store.
Obtaining Store API Credentials
To generate store API Credentials, log into the store, then:
- Navigate to Advanced Settings > API Accounts > Create API Account.
- Give the account a name (internal only).
- In the OAuth Scopes section, select the minimum scopes the app will require.
- Select Save.
A successful save will display a pop-up containing the API credentials that your app will need to run authenticated requests – your Client ID and Access Token. A
.txt file containing the same credentials will (on most browsers) automatically download to your computer. This file also contains the base API Path for your store, preconfigured for the v3 API.
The base api path will look something like this:
https://api.bigcommerce.com/stores/123456/. In the base path, the store hash is the
123456. This will be used to make API requests.
To get started making requests, see API Requests.
Save your credentials
There is no way to re-display this pop-up after selecting Done, so be sure to securely store the credentials before leaving this screen.
Revoking Store API Credentials
To revoke Store API Credentials:
- Log into the store, using the store owner’s username/password.
- Select Advanced Settings.
- Select API Accounts. This will display the Store API Accounts page, shown below.
- In the Actions column at right, select the trash-can button next to the account you want to delete.
There is no undo, so be sure before you delete an account. You can also use the checkboxes on the left side to delete multiple accounts at once – but be especially careful when using this option.
Obtaining App API Credentials
To get App API Credentials, login to (or create) your BigCommerce Developer Portal account. Navigate to My Apps (top-right corner), then:
- Click Create an app
- Give your app a name (only be visible to you)
- Click Create (a pop up box will display showing Your Profile, App Summary and Category)
- Click on Step 3 - Technical. Fill out the App Features sections with App Type, Callback URLs and Scope.
Step 3 - Technical
- In the lower right-hand corner of the popup box, click Update & Close.
- A new pop up will show asking if you want to change the OAuth Scopes. Click Confirm Update.
- You will be routed back to the Dev Tools home page and your app will be listed. Click View Client ID.
- Copy your Client ID and Client Secret. The Client ID and Client Secret can be accessed at any time by clicking View Client ID.
Client ID and Client Secret
The Client ID value uniquely identifies your app. You will need to pass it in the header of all your requests to the API.
The Client Secret value is a secret that your app and BigCommerce share. You only need to pass the Client Secret value once, during the app installation sequence. Thereafter, BigCommerce uses it to sign payloads in load, uninstall, and remove user requests, and your app uses it to verify the signature to ensure that the request is coming from BigCommerce.
Delete apps carefully
If you delete the app, there is no way to recover the Client Id and Client Secret.
During the app installation process, your app will use the Client Id and Client Secret to obtain an Oauth token authorized against the store installing the app. For a detailed look at this process, see Building an App.
Use Cases by Credential Type
|App API Credentials||Store API Credentials|
|From Dev Tools||X|
|From Store Control Panel|
|Single Click Apps (Marketplace)||X|
Migrating from Legacy to OAuth
Legacy API Accounts
As of July 31, 2018, new BigCommerce stores are no longer able to create Legacy API Accounts (accounts using HTTP Basic Auth) within their control panels. Existing Legacy API Accounts will continue to work until further notice, but we strongly recommend migrating to OAuth as soon as possible.
Migrating to OAuth comes with several benefits:
All OAuth requests are sent to a common hostname:
https://api.bigcommerce.com. Using a single hostname prevents any interruption of service when the domain or SSL on a particular store changes or expires.
All of BigCommerce’s newest V3 APIs are exclusively available via OAuth.
OAuth API accounts have access to subscribe to BigCommerce’s Webhooks for real-time event notifications
The ability to use new APIs that require a shared secret, such as the Storefront Login API or the Storefront Current Customer identification endpoint.
Gzip compression on API responses to reduce bandwidth usage
Better security as all OAuth tokens are scoped to particular endpoints
How to Migrate
First, consider whether your application should reside within the public App Marketplace, where any BigCommerce merchant can quickly discover and install it. To learn more about how to set up this kind of app, see Becoming a Partner.
If you would like to update your API connection from Basic Authentication to OAuth, you will need to make the following changes:
- Get a Client ID and an Access Token, by creating an API Account within the control panel. You’ll want to make sure the account has the correct Scopes for the API endpoints you need to access. We recommend that you provide the minimum scopes that your application requires to function, as a good security practice.
- If you use one of the Client Libraries, follow the relevant guide (within the library’s documentation) for establishing an OAuth connection.
- If you have created your connection, you’ll want to update your connection parameters:
- Where you previously used the BigCommerce store’s secure hostname, you will instead use the
https://api.bigcommerce.comgateway URL. As an example, requests to
https://my-custom-store-domain.com/api/v2/orders/123would instead go to
- Where you previously used the BigCommerce store’s secure hostname, you will instead use the
- With Basic Auth, you use an Authentication HTTP Header to authenticate your connection. With OAuth, you’ll want to use two headers:
- X-Client-Id for your Client ID
- X-Auth-Token header for your Access Token. You can read more here.
Rate limiting of API requests works differently for OAuth API connections. To become familiar with the OAuth system, please see the Rate Limits.
Scope limits ability to read or write to data. Set the scope to the minimum level needed to accomplish the task at hand.
All OAuth scopes except
read_only scopes that allow only
- Webhooks are accessible from the default scope that is available when API Credentials are created.
- Wishlists API is accessible with Customers scope.
|Scope GUI Name||Resources||Description|
|Content||store_v2_content||View and modify store content|
|store_v2_content_read_only||View Site Content|
|Checkout Content||store_content_checkout||View and modify content on checkout pages|
|store_content_checkout_read_only||View content on checkout pages|
|Customers||store_v2_customers||View and modify customer information|
|store_v2_customers_read_only||View customer information|
|Customers Login||store_v2_customers_login||Log in customers to your storefront|
|Access to the Customer Login API|
|Information & Settings||store_v2_information||View and modify general store information and settings|
|store_v2_information_read_only||View general store information and settings|
|Marketing||store_v2_marketing||View and modify marketing information|
|store_v2_marketing_read_only||View marketing information|
|Orders||store_v2_orders||View and modify orders|
|Order Transactions||store_v2_transactions||View and modify order transactions|
|store_v2_transactions_read_only||View order transactions|
|Create Payments||store_payments_access_token_create||Process Payments|
|Get Payment Methods||store_payments_methods_read||Get Order Payment Methods|
|Products||store_v2_products||View and modify products, brands, categories and other product information.|
|Themes||store_themes_manage||View and modify themes|
|Carts||store_cart||View and Modify carts|
|Checkouts||store_checkout||View and modify a checkout|
|store_checkout_read_only||View checkout content|
|Sites & Routes||store_sites||View and modify sites and routes|
|store_sites_read_only||View external storefronts with Non-BigCommerce URLs|
|Channel Settings||store_channel_settings||View and modify a list of channels|
|store_channel_settings_read_only||View a list of channels|
|Channel Listings||store_channel_listings||View and modify a list of all channel listings for a particular channel|
|store_channel_listings_read_only||View a list of all channel listings for a particular channel|
|Storefront API Tokens||store_storefront_api||Create a storefront API token|
|Storefront API Customer Impersonation Tokens||store_storefront_api_customer_impersonation||Create a storefront API token that allows for customer impersonation|