Docs
Storefront authentication
Storefront API tokens

GraphQL Storefront API tokens

Get and manage tokens used to authenticate cross-origin requests to the GraphQL Storefront API.

Add a token creation scope to the store-level or app-level API account you use to generate tokens.

Storefront tokens

This type of token is the most appropriate to use from a web browser when you're serving a static site that only supports anonymous shopping. If you're creating a token for backend implementation, you wish to support signing in customers, or you're developing a frontend app that proxies requests, such as a NextJS app, use a customer impersonation token.

Customer impersonation tokens

Customer impersonation token-authenticated requests receive store information from the perspective of the customer with the ID specified in the X-Bc-Customer-Id header. The customer will automatically see the correct pricing, product availability, order history, and account details.

This special token is not necessary if you only wish to query information from an anonymous shopper's perspective.

Warning

Unless your frontend client proxies requests, attempts to authenticate from the brower using customer impersonation tokens will be rejected.

Additional information

Create a Token

POST /storefront/api-token

Request

Creates a Storefront API token.

Required Scopes

  • Manage Storefront API Tokens

Authentication

  • X-Auth-Token in header

Parameters

  • store_hash in path - string
  • Accept in header with default of application/json - string
    required
    The MIME type of the response body.
  • Content-Type in header with default of application/json - string
    required
    The MIME type of the request body.

Body

object | application/json

  • allowed_cors_origins    array[string]

    List of allowed domains for Cross-Origin Request Sharing. Currently accepts a maximum of two domains per created token.

  • channel_id    integer
    required

    Channel ID for requested token
    Min: 1
    Example: 1

  • expires_at    integer
    required

    Unix timestamp (UTC time) defining when the token should expire. Supports seconds, but does not support milliseconds, microseconds, or nanoseconds.
    Min: 0
    Example: 1885635176

example

{
"allowed_cors_origins": [
"string"
],
"channel_id": 1,
"expires_at": 1885635176
}

Response

Body

object | application/json

  • data    object

  • meta    object

    Response metadata.

example

{
"data": {
"token": "string"
},
"meta": {}
}

Revoke a Token

DELETE /storefront/api-token

Request

Revoke access for a Storefront API token. Only revoke compromised tokens under emergency situations. Let uncompromised short-lived tokens expire naturally, as you do not need to revoke these.

Authentication

  • X-Auth-Token in header

Parameters

  • store_hash in path - string
  • Accept in header with default of application/json - string
    required
    The MIME type of the response body.
  • Sf-Api-Token in header - string
    required
    An existing JWT token that you want to revoke.

example

curl --request DELETE \
--url 'https://api.bigcommerce.com/stores/[store_hash]/v3/storefront/api-token' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'X-Auth-Token: {{token}}'

Response

A storefront API token revocation has been scheduled.

See something you can improve? Edit this file on GitHub

Did you find what you were looking for?
OverviewCreate a Token