Storefront Token

  • Host:
  • Protocols: https
  • Accepts: application/json
  • Responds With: application/json

Get and manage tokens used to authenticate cross-origin requests to the GraphQL Storefront API.


Authenticate requests by including an OAuth access_token in the request header.

Content-Type: application/json
X-Auth-Token: {{ACCESS_TOKEN}}

OAuth scopes

UI Name Permission Parameter
Storefront API Customer Impersonation Tokens manage store_storefront_api_customer_impersonation
Storefront API Tokens manage store_storefront_api

API tokens

Generate tokens (JWT) for authenticating cross-origin requests to the GraphQL Storefront API. To create a token, send a POST request to /stores/{{STORE_HASH}}/v3/storefront/api-token.

X-Auth-Token: {{ACCESS_TOKEN}}
Content-Type: application/json
Accept: application/json

  "channel_id": 1,
  "expires_at": 1602288000,
Property Type Description
channel_id int Must be a valid channel ID on the store (required)
expires_at int Unix timestamp (required)
allowed_cors_origins array[str] Allowed origins for cross origin requests (required)

Open in Request Runner


  "meta": {
    // ...

Customer impersonation tokens

Generate tokens for use in server-to-server requests to the GraphQL Storefront API. To create a customer impersonation token, send a POST request to /v3/storefront/api-token-customer-impersonation.

x-Auth-Token: {{ACCESS_TOKEN}}


    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
  "meta": {}

Customer impersonation token authenticated requests made to the GraphQL API receive store information from the perspective of the customer with the ID specified in the X-Bc-Customer-Id header sent with the GraphQL POST request. Pricing, product availability, customer account, and customer details will be reflected. Consider this sample request using a customer impersonation token to run a request in the context of customer ID 123.

X-Bc-Customer-Id: 123

    "query": "query CustomerInformation {\n  customer {\n    firstName\n    lastName\n    email\n  }\n}"


  • Customer impersonation tokens should never be exposed publicly, for example, to JavaScript or HTML. These tokens should not be used for frontend requests.
  • Unlike normal GraphQL API tokens, they are sensitive and should be treated like secrets, just as you might treat an OAuth token.
  • Attempts to run requests using these tokens from a web browser will be rejected.

Revoking tokens

To revoke a token, send a DELETE request to /v3/storefront/api-token.

DELETE /stores/{{STORE_HASH}}/v3/storefront/api-token-customer-impersonation
x-Auth-Token: {{ACCESS_TOKEN}}
Sf-Api-Token: {{CUSTOMER_ID}}

Additional information