Management APIs
Building Apps
Quick Start
Building Channels
Quick Start
Building Headless Storefronts
Embedded Checkout
Next.js Commerce
Managing Currencies
Partner Information
Becoming A Partner
Getting Started
Staying Current with Platform Changes
POS Solutions
ERP Solutions
PIM Solutions
OMS Solutions
Marketing Solutions
Shipping Solutions
Payment Solutions

Current customer API

Identifying logged-in customers securely

Suppose your application interacts dynamically with the BigCommerce storefront and conveys specific information to a particular logged-in customer. You must confirm that customer’s identity within the insecure environment of the user’s browser before revealing any sensitive information.

To address this need, BigCommerce provides a Current Customer endpoint that your app can access via JavaScript on the storefront. This endpoint allows a remote application, such as a third-party subscription billing app, to return a JWT with identifying customer details. The information is signed with your OAuth client secret.


  • An app client ID is required in requests to /customer/current.jwt.
  • To generate an app client ID, create an app in the BigCommerce Developer Portal.
  • Use the app’s secret to validate the signature on the JWT.
  • The app doesn’t need to be installed or published on a store to use the client ID to get the JWT.

Example JavaScript

Below is an example JavaScript code snippet that will access this JWT. To test the JWT functionality, you can install this JavaScript on your sandbox BigCommerce store. You must include your application’s client ID in the request to identify the requesting application.

<script type="text/javascript">
  function customerJWT() {
    var appClientId = '**BC_CLIENT_ID**'; // TODO: Fill this in with your app's client ID
    var xmlhttp = new XMLHttpRequest();
    xmlhttp.onreadystatechange = function () {
      if (xmlhttp.readyState == 4) {
        if (xmlhttp.status == 200) {
          alert('Customer JWT:\n' + xmlhttp.responseText);
        } else if (xmlhttp.status == 404) {
          alert('Not logged in!');
        } else {
          alert('Something went wrong');
      '/customer/current.jwt?app_client_id=' + appClientId,

The above JavaScript should alert the browser with a JWT token after logging into the storefront with a customer account. The JWT returned from this endpoint (example below) can be decoded on JWT.IO.

If a shopper is browsing as a guest, BigCommerce will return a 404 response, and you will see an error message. Wrapping your script in a {{#if customer}} Handlebars helper will check for a logged-in customer before running the request. For more information, visit Handlebars Helpers. Handlebars Helpers.

Example Logged In Customers Response

  "customer": {
    "id": 4927,
    "email": "",
    "group_id": "6"
  "iss": "bc/apps",
  "sub": "abc123",
  "iat": 1480831863,
  "exp": 1480832763,
  "version": 1,
  "aud": "6sv16tfx3j5gsopm42ss5dd67g2srvq",
  "application_id": "6sv16tasdgr2b5hs5dd67g2srvq",
  "store_hash": "abc123",
  "operation": "current_customer"

By design, your application should send this token to the application’s server, validate it against your client secret, and then use it as a trusted indication of the logged-in customer’s identity, before displaying confidential information to them.

An end-to-end example that displays a customer’s recently purchased products is available in our Ruby and PHP sample apps.

IAT and EXP claims

The current customer tokens are valid for 15 minutes.