Customer Login SSO

  • Host: {$$.env.store_domain}/graphql
  • Protocols: https
  • Accepts: application/json
  • Responds With: application/json

Download Spec: customer_login.json

Create a login URL for customer single-signon.


To log in a customer using the Customer Login API, redirect the customer’s browser to the following access point URL:{{TOKEN}}

The {{TOKEN}} parameter is the JWT containing the payload data signed by your app’s OAuth client secret.

We recommend writing a script to generate a login token since the JWT iat (issued at) claim is only valid for 30 seconds. BigCommerce supplies helper methods for generating login tokens in our API Client Libraries.

OAuth scopes

UI Name Permission Parameter
Customers read-only store_v2_customers_read_only
Customers login store_v2_customers_login

JWT Header

  "alg": "HS256",
  "typ": "JWT"

JWT Payload

	 "iss": "{{CLIENT_ID}}",
	 "iat": "{{DATE_CREATED}}",
	 "jti": "{{UUID}}",
	 "operation": "customer_login",
	 "store_hash": "{{STORE_HASH}}",
	 "customer_id": {{CUSTOMER_ID}},

JWT Signature

To create the signature, sign the encoded header, the encoded payload, and client_secret using the HMAC SHA256 algorithm.

  base64UrlEncode(header) + "." +

Node.js example

Create urlGenerator.js node app and install dependencies.

mkdir urlGenerator

cd urlGenerator

touch urlGenerator.js

npm init

npm install jsonwebtoken uuid

Paste the following into urlGenerator/urlGenerator.js.

const jwt = require('jsonwebtoken');
const {v4: uuidv4} = require('uuid');

const clientId = "{{CLIENT_ID}}";
const clientSecret = "{{CLIENT_SECRET}}";
const customerId = "{{CUSTOMER_ID}}";
const storeHash = "{{STORE_HASH}}";
const storeUrl = "{{STORE_URL_ORIGIN}}";

function getLoginUrl(customerId, storeHash, storeUrl, clientId, clientSecret) {
   const dateCreated = Math. round((new Date()). getTime() / 1000);
   const  payload = {
       "iss": clientId,
       "iat": dateCreated,
       "jti": uuidv4(),
       "operation": "customer_login",
       "store_hash": storeHash,
       "customer_id": customerId,
   let token = jwt.sign(payload, clientSecret, {algorithm:'HS256'});
   return `${storeUrl}/login/token/${token}`;
const loginUrl = getLoginUrl(customerId, storeHash, storeUrl, clientId, clientSecret);


Replace {{CLIENT_ID}} and other variables with your credentials, then run the app.

node urlGenerator.js

You should receive a complete access point URL as an output.

Additional information