Authentication
Guide to API accounts

API Accounts & OAuth Scopes

BigCommerce offers three types of OAuth-based API accounts to developers who wish to use BigCommerce's REST APIs: store-level credentials, app-level credentials, and account-level credentials. This article describes the difference between the three, how to obtain and revoke account credentials, and the use cases for each. It also contains a reference for available OAuth scopes and provides a compelling list of reasons to migrate from legacy API tokens to OAuth credentials.

In addition to authenticating REST APIs, BigCommerce API accounts are the fundamental authentication layer for all authenticated API requests. To learn more about different authentication schemes, see Authentication and Example Requests.

API accounts

Every parent set of API credentials that you request for your store is its own API account. At its simplest, an API account consists of the following:

  • The client_id uniquely identifies the app or user, or the client, making a request.
  • The client_secret is a cryptographically secure value known only to the client and BigCommerce.

Every active API account has at least one access_token. Store-level API accounts include a static access token that does not change. App-level API accounts expect each application to generate a unique access token for every store that installs the app. Account-level API accounts include a single access token that belongs to the parent account of the store that the user is signed in to at the time of creation.

Guard these values closely. The client ID and client secret will never change; access tokens do not expire based on time and cannot be manually invalidated. It's best practice to limit each account's OAuth scope to only the privileges needed to complete that app or user's designated tasks. Create separate API accounts for each app, store API user or function, or account-related implementation.

Store-level API accounts

Merchants generate single-store API credentials when they create API accounts in their store control panel, in the Settings > Store-level API accounts (opens in a new tab) menu. Use these credentials to read and change one store's data with BigCommerce's APIs. You can't change store-level access tokens or OAuth scopes.

In addition to the API account components in the preceding section, store-level API accounts contain the following attributes out of the box:

  • An access_token, which accompanies most REST API requests.
  • The client name is a label for your convenience, and it doesn't accompany requests.
  • The API path is the URL to which you make requests. The API path won't change, but it will have /v3/ or /v2/ appended to it, depending on the current version for the endpoint you're querying.

Most APIs that work with store-level API accounts use the access_token to authenticate requests to BigCommerce. However, a few use the access token to generate a temporary credential. To learn more about special cases that involve store-level credentials, read about Authentication and Example Requests and consult the documentation for the API you want to use.

🚫

Be careful with client secrets

Do not send your client_secret or access_token in plain text or an unencrypted payload. Be particularly careful with the client_secret. An attacker can use your client_secret to both sign and decrypt JWTs sent between you and BigCommerce.

Creating store-level API credentials

To create a store-level API account, consult our Knowledge Base article on Creating a Store API Account (opens in a new tab).

To get started making requests, see Getting Started.

Revoking store-level API credentials

To revoke store-level API credentials, you must delete the corresponding store API account. If the client_id and client_secret are compromised, or the account has become unnecessary, secure your account by deleting the API account. You cannot recover a deleted API account, so take care.

🚫

Delete carefully

Deleting an account cannot be undone, so be sure before clicking the trash can icon. You can also use the checkboxes on the left side to delete multiple accounts at once – but be especially careful when using this option.

To delete a store-level API account, consult our Knowledge Base article on Deleting a Store API Account (opens in a new tab).

⚠️

Don't forget your webhooks and metafields

Some resources are only accessible to the API account that created them. These include webhooks, metafields, and scripts. If you need to revoke a store-level API account, plan accordingly.

App-level API accounts

You can create app-level API accounts in the Developer Portal (opens in a new tab). After a store owner or authorized user installs and authorizes an app, most apps use access tokens generated from the API account's client ID, client secret, and a temporary grant code to read and change store data. Generate access tokens with the BigCommerce-initiated grant code authorization flow.

Some APIs use app-level API accounts to implement alternative authentication patterns. For a summary of all our authentication methods, see Authentication and Example Requests.

For more on working with apps, see our Guide to Building Apps. The sections on Implementing OAuth and Callback Handlers are particularly relevant to generating access tokens.

Creating app-level API credentials

To create an app and its associated API account, consult our article on Managing Apps in the Developer Portal.

App-level access tokens

App-level API accounts do not come pre-configured with an access token. Each time a store installs your app, BigCommerce initiates a grant code authorization flow to help your app generate a dedicated access token for that store. For further details, see Authenticating an app.

Revoking app-level API credentials

There is no way to manually revoke or force-regenerate app-level API account access tokens. However, either of the following actions triggers a token refresh:

  • When the store owner's email address changes
  • When you modify the app API account's OAuth scopes

After one of these changes, the store owner will be prompted to review the change and reauthorize the app the next time they click the app icon in the store control panel.

🚫

Delete apps carefully

When you delete an app in the Dev Portal (opens in a new tab), there is no way to recover the client ID or client secret. If you choose to do this, don't forget to mitigate the potential loss of webhook and metafield-related data and functionality.

To delete an app-level API account, consult our article on Managing Apps in the Developer Portal.

Account-level API accounts

Account-level API accounts are designed to work with the GraphQL Account API, which manages resources beyond the scope of a single store. For example, managing control panel users in the BigCommerce ecosystem. Current and future features available using the GraphQL Account API toolset allow developers to build custom integrations and solutions that require high-level access to store and platform resources. Using this API, you can integrate with third-party applications, streamline and automate business processes, and manage multiple merchant stores per account.

Creating account-level credentials

To create an account-level API account visit the account control panel (opens in a new tab) or the store control panel for a member store at Settings > Account-level API accounts (opens in a new tab).

To learn more about creating an account-level API account, consult our Knowledge Base article on API Accounts (opens in a new tab).

When you create account-level credentials, they belong to the parent account for the store you're signed in to.

Account-level API credentials provide direct access to all the account's stores, not just the store that was signed in at the time of creation. Their permissions are limited only by the OAuth scopes they were granted at the time of creation. Keep the access token and client secret secure.

Revoking account-level API credentials

An account-level access token is valid until the account is no longer active. However, you can manually delete account-level credentials.

⚠️

Deleting API accounts is risky and must be done with caution. Only users who have the correct permissions can perform this action.

To delete an account-level API account, visit the account control panel (opens in a new tab) and find the account you want to delete in the list. Click the three dots in the Action column, then click Delete. Follow any prompts that appear.

Choosing the right kind of API account

Where both types of API account are supported, review the preceding sections to make an informed choice about which best fits your use case. In the following table, links go to the relevant section of our Authentication and Example Requests article.

API or Use CaseStore-level API accountApp-level API accountAccount-level API account
GraphQL Account API, including Users×
GraphQL Admin API××
GraphQL Storefront API×
REST Store Management APIs××
REST Storefront API×
Customer Login API×
Current Customer API×
Payments API××
Apps that host REST Provider APIs (provider apps)×
Apps that create App Extensions×
Apps hosted in the store control panel (single-click apps)×
Manual connection between a third-party app and a store××
Single-store frontend scripts×

Migrating from legacy to OAuth

⚠️

Legacy API Accounts

BigCommerce no longer issues legacy API Accounts to new stores. Existing legacy API Accounts will continue to work until further notice. Migrate to OAuth as soon as possible.

Benefits of migrating to OAuth

We recommend migrating from legacy API credentials to OAuth, if you haven't already. Migration provides a wealth of benefits, including the following:

  • Unified requests: Send all OAuth requests to a single URL: https://api.bigcommerce.com. Using a common hostname prevents interruptions of service when a store's domain or SSL/TLS certificate changes or expires.

  • Latest and greatest APIs: BigCommerce’s V3 APIs are accessible exclusively with OAuth.

  • Webhook subscriptions: OAuth API accounts can subscribe to real-time event notifications using BigCommerce’s webhooks.

  • Shared secrets: Use new APIs and endpoints that require shared secrets, including the Customer Login and Current Customer APIs.

  • Zippier responses: Responses to OAuth requests use gzip compression and less of your bandwidth.

  • Better security with granular permissions: All OAuth tokens are scoped to specific operations and endpoints. If you suspect a breach, you will know which resources could be affected.

How to migrate

Before you update your API connections to use OAuth instead of legacy basic authentication, take the following actions:

  • Create an API account appropriate to your use case. Keeping in mind the API endpoints your connections use, create either a store API account or an app API account per the preceding instructions. To adhere to industry-standard security practices, configure the account with the minimum OAuth scopes for your use case. If you're using an app API account, you can always modify the scope later.
  • If you use one of our client libraries, consult the library’s documentation for establishing an optimal OAuth configuration.
  • After you create your connection, update your connection parameters as follows:
    • Use https://api.bigcommerce.com as the gateway URL instead of the BigCommerce store’s secure hostname. For example, route requests that formerly went to https://store-{{store_hash}}.mybigcommerce.com/api/v2/orders/{{order_id}} or https://my-custom-store-domain.com/api/v2/orders/{{order_id}} will now use https://api.bigcommerce.com/stores/{{store_hash}}/v2/orders/{{order_id}}.
    • Rewrite your HTTP request headers to use the X-Auth-Token header to pass the API account's access_token instead of the Authorization header. For more information, see Authentication.

Rate limiting works differently for OAuth API connections. For details, see the Rate Limits section of our API best practices article.

OAuth scopes

Scope grants and limits a program's ability to read and write data. Set the scopes to the minimum level of access your implementation needs.

All OAuth scopes except default provide read-only permissions scopes so that you can limit some accounts to sending GET and HEAD requests.

Webhooks are accessible from the default scope that is automatically accessible to all API accounts.

Token creation scopes

UI NamePermissionParameterDescriptionEndpoints
Create Paymentsmodifystore_payments_access_token_createCreate payment access tokens, process paymentsPayments, Access Tokens
Payments, Process Payment
Storefront API Tokensmodifystore_storefront_apiCreate GraphQL Storefront API bearer tokensStorefront API Token V3
Storefront API Customer Impersonation Tokensmodifystore_storefront_api_customer_impersonationCreate GraphQL Storefront API bearer tokens that allow customer impersonationStorefront API Token V3, Customer Impersonation

Store resource scopes

UI NamePermissionParameterDescriptionResources
App Extensionsmanagestore_app_extensions_manageManage App Extensions; requires an app-level API accountGraphQL Admin API
Cartsmodifystore_cartView and modify cartsCarts V3
Cartsread-onlystore_cart_read_onlyView cartsCarts V3
Channel Settingsmodifystore_channel_settingsView and modify a list of channelsChannels V3
Channel Settingsread-onlystore_channel_settings_read_onlyView a list of channelsChannels V3
Channel Listingsmodifystore_channel_listingsView and modify a list of all channel listings for a particular channelChannels V3, Listings
Channel Listingsread-onlystore_channel_listings_read_onlyView a list of all channel listings for a particular channelChannels V3, Listings
Checkoutsmodifystore_checkoutView and modify a checkoutCheckouts V3
Checkoutsread-onlystore_checkout_read_onlyView checkout contentCheckouts V3
Checkout Contentmodifystore_content_checkoutView and modify content on checkout pagesScripts V3
Checkout Contentread-onlystore_content_checkout_read_onlyView content on checkout pagesScripts V3
Contentmodifystore_v2_contentView and modify store contentPages V2
Blog V2
Redirects V2
Widgets V3
Contentread-onlystore_v2_content_read_onlyView store contentPages V2
Blog V2
Redirects V2
Widgets V3
Customersmodifystore_v2_customersView and modify customer informationCustomers V2
Customer Groups V2
Subscribers V3
Wishlists V3
Customersread-onlystore_v2_customers_read_onlyView customer informationCustomers V2
Customer Groups V2
Subscribers V3
Wishlists V3
Customers Loginmodifystore_v2_customers_loginSign customers in to your storefrontCustomer Login API
Fulfillment Methodsmodifystore_fulfillment_methods_manageView and modify order fulfillment methodsPickup Methods V3
Pickup Options V3
Fulfillment Methodsread-onlystore_fulfillment_methods_read_onlyView order fulfillment methodsPickup Methods V3
Pickup Options V3
Information & Settingsmodifystore_v2_informationView and modify store information and settingsStore Information V2
Time V2
Settings V3
Information & Settingsread-onlystore_v2_information_read_onlyView general store information and settingsStore Information V2
Time V2
Settings V3
Marketingmodifystore_v2_marketingView and modify marketing informationCoupons V2
Gift Certificates V2
Banners V2
Promotions V3
Marketingread-onlystore_v2_marketing_read_onlyView marketing informationCoupons V2
Gift Certificates V2
Banners V2
Metafield Ownershipmanagestore_metafield_change_ownerManage which API accounts own metafields.GraphQL Admin API
Metafields Accessstandardstore_metafield_writeDefault. Create and manage metafields belonging to the API account making the request.All endpoints and APIs that manage metafields, including the GraphQL Admin API.
Metafields Accessfullstore_metafield_write_allManage all metafields for the store, regardless of the API account that created them. Includes metafields that have app_only permissions.All endpoints and APIs that manage metafields, including the GraphQL Admin API.
Ordersmodifystore_v2_ordersView and modify ordersOrders V2
Order Status V2
Ordersread-onlystore_v2_orders_read_onlyView ordersOrders V2
Order Status V2
Order Fulfillmentmodifystore_order_fulfillment_manageView and modify order fulfillmentsPickup V3
Order Fulfillmentread-onlystore_order_fulfillment_read_onlyView order fulfillmentsPickup V3
Order Transactionsmodifystore_v2_transactionsView and modify order transactionsOrders V3, Transactions
Order Transactionsread-onlystore_v2_transactions_read_onlyView order transactionsOrders V3, Transactions
Payments - Get accepted methodsread-onlystore_payments_methods_readGet a list of payment methodsPayments - Get accepted methods
Productsmodifystore_v2_productsView and modify products, brands, categories, and other product information.Catalog V3
Price Lists V3
Productsread-onlystore_v2_products_read_onlyView productsCatalog V3
Price Lists V3
Sites & Routesmodifystore_sitesView and modify sites and routesSites V3, Routes, Certificates
Channels V3 Sites
Sites & Routesread-onlystore_sites_read_onlyView external storefronts with non-BigCommerce URLsSites V3, Routes, Certificates
Channels V3 Sites
Store Inventorymodifystore_inventoryView and modify store inventoryInventory V3
Store Inventoryread-onlystore_inventory_read_onlyView store inventoryInventory V3
Store Locationsmodifystore_locationsView and modify store locationsLocations V3
Store Locationsread-onlystore_locations_read_onlyView store locationsLocations V3
Stored Payment Instrumentsread-onlystore_stored_payment_instruments_read_onlyView stored payment instrumentsStored Instruments V3
Stored Payment Instrumentsmodifystore_stored_payment_instrumentsView and modify stored payment instrumentsStored Instruments V3
Themesmodifystore_themes_manageView and modify themesThemes V3
Themesread-onlystore_themes_read_onlyView themesThemes V3

Account resource scopes

UI NamePermissionParameterDescriptionResources
Accountread-onlyaccount_readView account detailsGraphQL Account API
Account Appsread-onlyaccount_apps_readView the apps associated with an accountGraphQL Account API
Account Storesread-onlyaccount_stores_readView the stores associated with an accountGraphQL Account API
Account Usersread-onlyaccount_users_readView the users associated with an accountGraphQL Account API
Account Userswriteaccount_users_writeAdd and update usersGraphQL Account API
Account Usersdeleteaccount_users_deleteRemove a user from an accountGraphQL Account API

Resources

Did you find what you were looking for?