BigCommerce just lately launched non-public tokens as a brand new authentication commonplace for requests to the GraphQL Storefront API. On this walkthrough, we’ll summarize the aim of personal tokens and be sure to know what the implications are to your current and future integrations with the platform.
Going ahead, the usual storefront token is meant just for client-side requests to the GraphQL API (requests made instantly from a person’s browser), whereas a non-public token will likely be required for server-to-server situations.
This transformation marks an enchancment within the safety mannequin of the storefront API, in two respects:
-
A transparent separation within the supposed use instances for tokens reduces the potential of a token meant for a client-side utility being utilized in an exploitive means.
-
Personal tokens have a extra granular authorization mannequin, utilizing scopes to restrict their degree of entry.
The earlier sample
Till now, the identical storefront token kind — created through the REST Administration API with POST /v3/storefront/api-token — has been utilized in each client-side and server-side situations. The token is sure to a number of channels and an expiration date, and optionally to a listing of allowed_cors_origins when it is supposed for browser use. The identical token kind serves because the Bearer worth for the Authorization header in any GraphQL Storefront API requests.
-
Consumer-side requests: Browser-originating requests in client-side functions should embody a storefront token that was created with an acceptable
allowed_cors_originsworth. Particular person buyer context in this sort of request is tracked through a storefront session cookie, in situations the place similar origin is assured (corresponding to client-side scripts in a Stencil storefront). -
Server-side requests: “Stateless” requests produced from a server-side utility use the identical kind of token, however with no required
allowed_cors_originsworth. Buyer context is tracked through a separate Buyer Entry Token (CAT) — issued when a buyer authenticates and despatched within theX-Bc-Buyer-Entry-Tokenheader.
The brand new sample
The 2 situations described above proceed to perform in the identical means; solely the Bearer token kind has modified for server-side situations.
Consumer-side: unchanged
Customary storefront tokens stay created through POST /v3/storefront/api-tokensure to channels and CORS origins, and used to energy browser-based GraphQL requests precisely as they do right this moment. In case your storefront talks to the GraphQL Storefront API from the browser — Stencil or in any other case — nothing about that move adjustments.
Server-side: the brand new non-public token
The overall server-side workflow, together with using CATs for buyer context, additionally stays the identical. Nonetheless, a brand new REST endpoint, POST /v3/storefront/api-token-privatepoints non-public tokens for server-side requests.
The REST request physique appears to be like acquainted — channel binding and expiration are the identical — with one addition: each non-public token should declare its scopes.
After you have a non-public token, you employ it the identical means you employ a typical storefront token — through a “Bearer” worth within the Authorization header:
Buyer Entry Tokens work with non-public tokens precisely as they do with storefront tokens right this moment. In case your server-side code already authenticates clients and forwards their entry token within the X-Bc-Buyer-Entry-Token header, that sample carries over unchanged.
Scopes
Scopes prohibit which GraphQL fields a given non-public token can learn or mutate. Three can be found at launch:
-
Unauthenticated
-
Buyer
-
B2B
registerCompany.
What do I have to do?
For any client-side functions that combine with the GraphQL Storefront API, no motion is required.
Functions utilizing server-side requests to the storefront API ought to rotate to a non-public token created with the suitable scope(s). No additional adjustments to request move or construction are obligatory. (Observe that this contains headless storefronts the place GraphQL requests happen in a server-side layer.)
There are two deprecation dates to concentrate on as you replace server-side functions:
June 30, 2026 — First deprecation wave
After this date, newly issued storefront tokens can now not be used for server-to-server calls. In case your utility programmatically creates storefront tokens on demand and makes use of them from a backend, that is the date by which it should be issuing non-public tokens as an alternative.
March 31, 2027 — Second deprecation wave
After this date, the identical restriction extends to pre-existing storefront tokens. Any long-lived commonplace storefront token nonetheless getting used server-side will cease working as supposed. Functions that issued a storefront token as soon as and have been utilizing it from a backend ever since should rotate to a non-public token by this date.
Implications for Catalyst
Catalyst storefronts carry out GraphQL Storefront API requests from the Subsequent.js server-side layer.
-
New Catalyst storefronts: The Catalyst storefront provisioning course of now points non-public tokens. Sandbox storefronts and native improvement environments provisioned from that time ahead will likely be on the brand new sample by default — no service provider motion required. When taking your storefront to manufacturingbe sure to are utilizing the non-public token endpoint to generate a price for
BIGCOMMERCE_STOREFRONT_TOKENutilizing the scopesUnauthenticatedandBuyer. -
Current Catalyst storefronts: Retailers working Catalyst right this moment are utilizing a typical storefront token server-side. To remain forward of the March 31, 2027 second deprecation wave, these retailers might want to rotate the
BIGCOMMERCE_STOREFRONT_TOKENworth to a non-public token earlier than the deadline. Plan to provision a non-public token with the scopesUnauthenticatedandBuyerreplace the storefront’s surroundings configuration, and redeploy.
The Catalyst Unauthenticated Token
Observe that Catalyst 1.7 additionally introduces help for a second non-public token worth, saved within the surroundings variable BIGCOMMERCE_STOREFRONT_UNAUTHENTICATED_TOKEN. This elective worth ought to comprise a token generated solely with the Unauthenticated scope and is used solely for the brand new GraphQL proxy that permits accepted client-side libraries to make GraphQL Storefront API requests. This proxy system permits for first-party use of libraries like checkout-sdk-js in a safe means.
See the 1.7 launch notes for full particulars.
What about buyer impersonation tokens?
Builders who’re effectively aware of the GraphQL Storefront API might acknowledge the use case for personal tokens as much like that for the present buyer impersonation tokenwhich is solely for server-side use and has the elevated capacity to impersonate any buyer on the shop utilizing an X-Bc-Buyer-Id header.
Buyer impersonation tokens stay a sound kind of Bearer token for storefront API requests, and their habits stays unchanged. Observe, nonetheless, that this kind of token is extraordinarily delicate as a consequence of its elevated entry degree and is taken into account a legacy strategy. Utilizing non-public tokens together with CATs is a safer strategy with extra restricted buyer entry.
The ultimate phrase
Personal tokens, and the deprecation of normal storefront tokens for server-side functions, present a clearer segmentation of integration use instances, whereas scopes present a extra granular authorization mannequin. This new sample would not change something concerning the normal move and construction of GraphQL Storefront API requests. To your server-side integrations, make sure that to rotate your credentials to the brand new non-public token kind to maintain your functions working easily!
Key Useful resource: See the developer documentation for Storefront API tokens.
