GraphQL Storefront API tokens
Get and manage tokens used to authenticate cross-origin requests to the GraphQL Storefront API.
Add a token creation scope to the store-level or app-level API account you use to generate tokens.
Storefront tokens
This type of token is the most appropriate to use from a web browser when you're serving a static site that only supports anonymous shopping. If you're creating a token for backend implementation, you wish to support signing in customers, or you're developing a frontend app that proxies requests, such as a NextJS app, use a customer impersonation token.
Customer impersonation tokens
Customer impersonation token-authenticated requests receive store information from the perspective of the customer with the ID specified in the X-Bc-Customer-Id
header. The customer will automatically see the correct pricing, product availability, order history, and account details.
This special token is not necessary if you only wish to query information from an anonymous shopper's perspective.
Warning
Unless your frontend client proxies requests, attempts to authenticate from the brower using customer impersonation tokens will be rejected.
Additional information
Create a Token
POST https://api.bigcommerce.com/stores/{store_hash}/v3/storefront/api-tokenRequest
Creates a Storefront API token.
Required Scopes
Manage
Storefront API Tokens
Authentication
- X-Auth-Token in header
Parameters
- store_hash in path - string
- Accept in header with default of application/json - stringrequiredThe MIME type of the response body.
- Content-Type in header with default of application/json - stringrequiredThe MIME type of the request body.
Body
allowed_cors_originsarray[string]
List of allowed domains for Cross-Origin Request Sharing. Currently accepts a maximum of two domains per created token.channel_idinteger
requiredChannel ID for requested tokenMin: 1Example: 1expires_atinteger
requiredUnix timestamp (UTC time) defining when the token should expire. Supports seconds, but does not support milliseconds, microseconds, or nanoseconds.Min: 0Example: 1885635176
example
Response
Body
dataobject
example
Revoke a Token
DELETE https://api.bigcommerce.com/stores/{store_hash}/v3/storefront/api-tokenRequest
Authentication
- X-Auth-Token in header
Parameters
- store_hash in path - string
- Accept in header with default of application/json - stringrequiredThe MIME type of the response body.
- Sf-Api-Token in header - stringrequiredAn existing JWT token that you want to revoke.
example
Response
See something you can improve? Edit this file on GitHub