Customer Login API
On this page
Introduction
In this tutorial, you will learn how to enable single sign-on for storefront customers using the Customer Login API and JSON Web Tokens.
Overview
Single sign-on (SSO) is an authentication mechanism that enables users to log into multiple software applications using the same set of credentials that the user enters only once. It eliminates the need to maintain multiple passwords, which streamlines the process of accessing web applications. For more details, see Single Sign-On.
When a user logs into your web app, you can use the Customer Login API to authenticate the user to your BigCommerce store through SSO.
You can use the Customer Login API in the following use cases:
- Integrate with an SSO provider or identity provider (IdP)
- Set up continuous login between a BigCommerce store and another application
- Enable alternative login methods (ex. phone number and SMS password)
Storefront customers are logged in using the access point URL /login/token/{token}
. The {token}
must be a JSON Web Token (JWT) containing parameters for the customer login request signed by your application’s OAuth client secret. For more information on the OAuth protocol, see OAuth.
JWT is an industry standard (RFC 7519) for securely transmitting information between two parties. A JWT is represented as a sequence of base64url-encoded sections separated by dots (.
). The sections include the header, payload, and signature. For more details, see Introduction to JSON Web Tokens.
Payload fields reference
Field Name | Type | Description |
---|---|---|
iss |
string | Indicates the token’s issuer. This is your application’s Client ID. |
iat |
integer | Time when the token was generated. This is a numeric value indicating the number of seconds since the Unix epoch. |
jti |
string | A unique request ID (ex. uuid). |
operation |
string | Must contain the string "customer_login" . |
store_hash |
string | Store hash identifying the store you are logging into. |
customer_id |
integer | ID of the customer you are logging in. |
redirect_to |
string | Optional field containing a relative path for the shopper’s destination after login. Will default to /account.php . |
request_ip |
string | Optional field containing the expected IP address for the request. If provided, BigCommerce will check that it matches the browser trying to log in. |
Prerequisites
To enable SSO using the Customer Login API, you will need the following:
- A BigCommerce store
- API client ID and client secret with the OAuth Scope set to Customers Login
- Node.js installed on your machine if you plan to use JavaScript
If you do not know your client ID and client secret, obtain the credentials by following the steps outlined in Creating an API Account.
Be sure to set the Customers Login scope to Login.
Enable single sign-on
To log a customer into their storefront account using the Customer Login API, your app needs to redirect the customer’s browser to the following access point URL: https://storedomain.com/login/token/{token}
.
The {token}
parameter is the JWT containing the payload data signed by your app’s OAuth client secret.
We recommend writing a script to generate a login token since JTW’s iat
(issued at) claim is only valid for 30 seconds. BigCommerce supplies helper methods for generating login tokens in our API Client Libraries.
The beginning of this tutorial focuses on manually creating a token using the debugger tool at JWT.io. Then, we will explore how to use a JavaScript function to programmatically generate an access point URL.
Create JWT using the debugger tool
To create a JWT, you will need to obtain a customer_id
using the Customers v3 API.
- Send a
GET
request to the Get All Customers endpoint. Choose a customer and make note of thecustomer_id
.
{
"accepts_product_review_abandoned_cart_emails": true,
"authentication": {
"force_password_reset": false
},
"company": "BigCommerce",
"customer_group_id": 2,
"date_created": "2020-02-06T17:46:33Z",
"date_modified": "2020-02-07T19:58:03Z",
"email": "customer@email.com",
"first_name": "Jane",
"id": 1, #customer_id
"last_name": "Doe",
"notes": "",
"phone": "",
"registration_ip_address": "",
"tax_exempt_category": "D"
}
-
Open the debugger at JWT.io.
-
In the “HEADER” field, make sure the JWT
alg
(algorithm) field is set to"HS256"
and thetyp
(token type) field is set to"JWT"
.
- In the “PAYLOAD: DATA” field, create a payload.
- In the “VERIFY SIGNATURE” field, replace “your-256-bit-secret” with your Client Secret.
- Copy the login token from the encoded box and paste it into the access point URL replacing the
{token}
parameter. Example:
https://storedomain.com/login/token/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ7Y2xpZW50X2lkfSIsImlhdCI6MTUzNTM5MzExMywianRpIjoie3V1aWR9Iiwib3BlcmF0aW9uIjoiY3VzdG9tZXJfbG9naW4iLCJzdG9yZV9oYXNoIjoie3N0b3JlX2hhc2h9IiwiY3VzdG9tZXJfaWQiOjJ9.J-fAtbjRFGdLsT744DhoprFEDqIfVq72HbDzrbFy6Is
- Paste the URL into the address bar of your web browser.
If the request was successful, you will be logged in as a customer and directed to /account.php
. If it was unsuccessful, a login attempt error message will be displayed and you will be directed to /login.php
.
For common causes of login failure, see Troubleshooting.
Create JWT using a JavaScript function
In this part of the tutorial, we will walk you through creating an access point URL using JavaScript. You will need node.js installed on your machine to complete this section.
- Create and open a new folder by running the following commands in your terminal:
$ mkdir urlGenerator
$ cd urlGenerator
- Create a new node project with the following command:
$ npm init
- Install jsonwebtoken and uuid npm packages:
$ npm install jsonwebtoken uuid
-
Open the
urlGenerator
folder in your code editor of choice and create a new JS file. -
Paste the following code into the new JS file:
const jwt = require('jsonwebtoken');
const {v4: uuidv4} = require('uuid');
function getLoginUrl(customerId, storeHash, storeUrl, clientId, clientSecret) {
const dateCreated = Math. round((new Date()). getTime() / 1000);
const payload = {
"iss": clientId,
"iat": dateCreated,
"jti": uuidv4(),
"operation": "customer_login",
"store_hash": storeHash,
"customer_id": customerId,
}
let token = jwt.sign(payload, clientSecret, {algorithm:'HS256'});
return `${storeUrl}/login/token/${token}`;
};
const clientId = "Your client id";
const clientSecret = "Your client secret";
const customerId = "Your customer id";
const storeHash = "Your store hash";
const storeUrl = "Your store url";
const loginUrl = getLoginUrl(customerId, storeHash, storeUrl, clientId, clientSecret);
console.log(loginUrl);
-
Replace your app and customer-specific values in the variables.
-
Run the code:
$ node youFileName.js
You should receive a complete access point URL as an output.
- Copy the URL and paste it into the address bar of your browser.
If the request was successful, you will be logged in as a customer and directed to /account.php
. If it was unsuccessful, you will receive a login attempt error message and be directed to /login.php
. For common causes of login failure, see Troubleshooting.
Sample code
Helper methods for generating login tokens are provided in our API Client Libraries. See the following BigCommerce repositories for language-specific examples:
For client libraries in other languages, see Libraries for Token Signing/Verification.
Logging out
To log out a customer, set the redirect_to
field of the JWT’s payload to /login.php?action=logout
.
Troubleshooting
- If the clock of the server generating the “iat” claim is not synchronized, the timestamp will be out of sync and the request will fail. If your system’s time is different from the BigCommerce server time, you can use the Get System Timestamp endpoint as a source of truth.
- You can only visit the access point URL once. The token will be invalidated after the
GET
request is made. - Tokens should not be generated in advance. Instead, the app should generate the token and immediately redirect the user’s browser to the access point URL.
Related resources
Articles
- Authenticating BigCommerce’s REST APIs
- BigCommerce APIs Quick Start
- Store API Accounts
- Introduction to JSON Web Tokens