Dev Center
Dev Center
API Docs
API Reference
Theme Docs
Tools
Library
Blog
Changelog
My Apps
Create Account
No results found.
Getting Started
Quick Start
About Our APIs
Filtering
Best Practices
API Status Codes
Deprecations and Sunsets
Storefront APIs
Overview
GraphQL
REST
Add to Cart URLs
Customer Login API
Current Customer API
Passwordless Login
Tutorials
Management APIs
Catalog
Customers
Email Templates
new
Orders
Order Refunds
Payment Processing
Price Lists
Pricing Order
reference
Scripts
Settings
Shipping
Widgets
Webhooks
Provider APIs
Shipping Providers
Tax Providers
new
Building Apps
Quick Start
Guide
Tutorials
Building Channels
Quick Start
Guide
Tutorials
Building Headless Storefronts
Overview
Embedded Checkout
Next.js Commerce
Managing Currencies
Guide
Partner Information
Becoming A Partner
Getting Started
Staying Current with Platform Changes
POS Solutions
ERP Solutions
PIM Solutions
OMS Solutions
Marketing Solutions
Shipping Solutions
Payment Solutions

Current customer API

Identifying logged-in customers securely

Suppose your application interacts dynamically with the BigCommerce storefront and conveys specific information to a particular logged-in customer. You must confirm that customer’s identity within the insecure environment of the user’s browser before revealing any sensitive information.

To address this need, BigCommerce provides a Current Customer endpoint that your app can access via JavaScript on the storefront. This endpoint allows a remote application, such as a third-party subscription billing app, to return a JWT with identifying customer details. The information is signed with your OAuth client secret.

Note

  • An app client ID is required in requests to /customer/current.jwt.
  • To generate an app client ID, create an app in the BigCommerce Developer Portal.
  • Use the app’s secret to validate the signature on the JWT.
  • The app doesn’t need to be installed or published on a store to use the client ID to get the JWT

Example JavaScript

Below is an example JavaScript code snippet that will access this JWT. To test the JWT functionality, you can install this JavaScript on your sandbox BigCommerce store. You must include your application’s client ID in the request to identify the requesting application.

<script type="text/javascript">
function customerJWT() {
    var appClientId = "**BC_CLIENT_ID**"; // TODO: Fill this in with your app's client ID
    var xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function() {
        if (xmlhttp.readyState == 4 ) {
           if (xmlhttp.status == 200) {
               alert('Customer JWT:\n' + xmlhttp.responseText);
           }
           else if (xmlhttp.status == 404) {
              alert('Not logged in!');
           }
           else {
               alert('Something went wrong');
           }
        }
    };
    xmlhttp.open("GET", "/customer/current.jwt?app_client_id="+appClientId, true);
    xmlhttp.send();
}
customerJWT();
</script>

The above JavaScript should alert to the browser with a JWT token if you are logged into the storefront with a customer account. If no customer is logged in, BigCommerce will return a 404 response, and you will see an error message. The JWT returned from this endpoint (example below) can be decoded on JWT.IO.

Example Logged In Customers Response

{
  "customer": {
    "id": 4927,
    "email": "john.doe@gmail.com",
    "group_id": "6"
  },
  "iss": "bc/apps",
  "sub": "abc123",
  "iat": 1480831863,
  "exp": 1480832763,
  "version": 1,
  "aud": "6sv16tfx3j5gsopm42ss5dd67g2srvq",
  "application_id": "6sv16tasdgr2b5hs5dd67g2srvq",
  "store_hash": "abc123",
  "operation": "current_customer"
}

By design, your application should send this token to the application’s server, validate it against your client secret, and then use it as a trusted indication of the logged-in customer’s identity, before displaying confidential information to them.

An end-to-end example that displays a customer’s recently purchased products is available in our Ruby and PHP sample apps.

IAT and EXP claims

The current customer tokens are valid for 15 minutes.