GraphQL Storefront API tokens
Get and manage tokens used to authenticate cross-origin requests to the GraphQL Storefront API.
Add a token creation scope to the store-level or app-level API account you use to generate tokens.
Storefront tokens
Storefront tokens are designed for use from a web browser when you’re serving a static site that only supports anonymous shopping. Storefront tokens support CORS via allowed_cors_origins and are intended for browser-based applications. For server-to-server integrations, you must use private tokens instead.
Deprecation notice (storefront tokens and server-to-server)
Storefront tokens created after June 30th, 2026 will no longer support server-to-server (s2s) use. Storefront tokens created on or before June 30th, 2026 will continue to support s2s calls until March 31st, 2027, after which s2s will no longer be supported for those tokens. Use private tokens for server-to-server integrations.
Private tokens
Private tokens are designed for server-to-server integrations. They are always stateless (no session required) and provide better performance for server-to-server use cases. Private tokens are created using a separate endpoint (/storefront/api-token-private). The API will reject private token-authenticated requests that originate from web browsers.
Private tokens are sensitive and should never be exposed publicly. Treat them with the same care as other application secrets.
Customer impersonation tokens
Customer impersonation token-authenticated requests receive store information from the perspective of the customer with the ID specified in the X-Bc-Customer-Id header. The customer will automatically see the correct pricing, product availability, order history, and account details.
This special token is not necessary if you only wish to query information from an anonymous shopper’s perspective.
Unless your frontend client proxies requests, attempts to authenticate from the browser using customer impersonation tokens will be rejected.
