Authentication
Introduction
Requests to the B2B Edition Storefront API are either anonymous or authenticated, depending on whether or not it requires access to a Company user’s data.
For example, you can create a Company account (opens in a new tab) anonymously because the action can be performed by a shopper without a user account, but creating a Shopping List (opens in a new tab) must be authenticated since the action is tied to a particular Company account and user.
The B2B Edition Storefront API includes endpoints to generate an authToken with or without specifying an existing Company user. Use the appropriate endpoint to authenticate your requests to Storefront REST APIs and StorefrontGraphQL APIs. Note that storefront authTokens expire after 1 day.
The BigCommerce GraphQL Storefront API (opens in a new tab) requires different authentication tokens for client- and server-side contexts. With the B2B GraphQL API, authentication tokens are always in the context of a specific user, and they don’t rely on storefront cookies.
As a result, these can be used in a client-side and server-side context. This means that you don’t have to change your authentication strategy for requests from the client or a server.
While the Storefront authentication endpoints can be used in either experience, it is best practice to get storefront authTokens via the GraphQL login and authorization mutations if you are developing on the Buyer Portal experience.
The legacy Stencil storefront experience is built to use Storefront endpoints instead of GraphQL mutations, but it can also use GraphQL for authentication-based customizations. For more information on GraphQL structure and usage, see the GraphQL Playground (opens in a new tab).
Get Storefront authToken within Stencil
POST https://api-b2b.bigcommerce.com/api/v2/loginRequest
Uses a JSON web token (JWT) from a particular customer or Company user who is currently logged in to the storefront to create a storefront authToken for future requests.
To learn more about how you can retrieve a JWT to create a storefront authToken. See Authentication for hosted storefronts.
Equivalent Storefront GraphQL API Mutation: authorization
.
Example GraphQL API Body
mutation {
authorization(
authData: {
bcToken: "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImtpZG8yNzZAc25hcG1haWwuY2MiLCJzdG9yZV9oYXNoIjoiMWk2enB4cGUzZyIsImRiIjoiZGVmYXVsdCIsIm5hbWUiOiJ0ZXN0OSIsImNoYW5uZWxfaWRzIjpbMV0sInRva2VuX3R5cGUiOjMsIm5iZiI6MTAwMCwiZXhwIjoyMDAxfQ.EiR__LVAlBVNYtFCZPWJYoPv6UfGiXtULxhK-BCQZjY",
channelId: 1
}
) {
result {
token
}
}
}
Example GraphQL API Response
{
"data": {
"authorization": {
"result": {
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImtpZG8yNzZAc25hcG1haWwuY2MiLCJzdG9yZV9oYXNoIjoiMWk2enB4cGUzZyIsImRiIjoiZGVmYXVsdCIsIm5hbWUiOiJ0ZXN0OSIsImNoYW5uZWxfaWRzIjpbMV0sInRva2VuX3R5cGUiOjMsIm5iZiI6MTAwMCwiZXhwIjoyMDAxfQ.EiR__LVAlBVNYtFCZPWJYoPv6UfGiXtULxhK-BCQZjY"
}
}
}
}
Body
bcTokenstring
requiredThe JSON Web Token (JWT) obtained from a signed-in Company user. See Current Customer API to learn how to request a JWT.Example: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImtpZG8yNzZAc25hcG1haWwuY2MiLCJzdG9yZV9oYXNoIjoiMWk2enB4cGUzZyIsImRiIjoiZGVmYXVsdCIsIm5hbWUiOiJ0ZXN0OSIsImNoYW5uZWxfaWRzIjpbMV0sInRva2VuX3R5cGUiOjMsIm5iZiI6MTAwMCwiZXhwIjoyMDAxfQ.EiR__LVAlBVNYtFCZPWJYoPv6UfGiXtULxhK-BCQZjYstoreHashstring
The unique store hash for the BigCommerce store.>= 1 charactersExample: 1234abcdchannelIdnumber
The storefront channel ID associated with the storefront login session. Use 1 for your store’s default storefront channel.Example: 1000234Default: 1
customerIdinteger
The BigCommerce customer ID associated with a Company user.Example: 1234
example
Response
Body
codenumber
Default: 200
dataobject
example
Get a Storefront authToken for a Specific Customer
POST https://api-b2b.bigcommerce.com/api/io/auth/customersRequest
Validates a Company user’s login credentials to create a storefront authToken that can be queried for future GraphQL requests.
Equivalent Storefront GraphQL API Mutation: login
The GraphQL API mutation also allows you to return a storefrontLoginToken
. This retrieves a JWT, which can be passed to the BigCommerce Customer Login endpoint in order to log a customer in with a Stencil storefront session.
The login
response also includes information related to the Company user, such as their name and their account’s internal identifiers.
Note: the resulting storefront authToken is tied to the Company user, and their assigned user role determines whether or not further requests are authorized. For example, if you generate an authToken for a user who does not have the create_address
permission enabled, using the token to validate the GraphQL API addressCreate
mutation will result in an error.
For a complete list of Company user permissions and their scopes, see Company Roles and Permissions.
Example GraphQL API Body
With Storefront authToken only
mutation {
login(
loginData: {
storeHash: "1234abcd",
email: "axe@snapmail.cc",
password: "MyPassword123"
}
) {
result {
token
user {
id
bcId
firstName
lastName
email
}
}
}
}
With Storefront authToken and storefrontLoginToken
mutation {
login(
loginData: {
storeHash: "1234abcd",
email: "axe@snapmail.cc",
password: "MyPassword123"
}
) {
result {
token
storefrontLoginToken
user {
id
bcId
firstName
lastName
email
}
}
}
}
Example GraphQL API Responses
With Storefront authToken only
{
"data": {
"login": {
"result": {
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InRlc3RfYjJjX29yZGVyX2ltcG9ydEBxcS5jb21tIiwic3RvcmVfaGFzaCI6ImYyb3N4ampueGoiLCJkYiI6ImRlZmF1bHQifQ",
"user": {
"id": "8889911",
"bcId": 28,
"firstName": "B2B",
"lastName": "User",
"email": "user@example.com"
}
}
}
}
}
With Storefront authToken and storefrontLoginToken
{
"data": {
"login": {
"result": {
"token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6InRlc3RfYjJjX29yZGVyX2ltcG9ydEBxcS5jb21tIiwic3RvcmVfaGFzaCI6ImYyb3N4ampueGoiLCJkYiI6ImRlZmF1bHQifQ",
"storefrontLoginToken": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJlbWFpbCI6ImtpZG8yNzZAc25hcG1haWwuY2MiLCJzdG9yZV9oYXNoIjoiMWk2enB4cGUzZyIsImRiIjoiZGVmYXVsdCIsIm5hbWUiOiJ0ZXN0OSIsImNoYW5uZWxfaWRzIjpbMV0sInRva2VuX3R5cGUiOjMsIm5iZiI6MTAwMCwiZXhwIjoyMDAxfQ.EiR__LVAlBVNYtFCZPWJYoPv6UfGiXtULxhK-BCQZjY",
"user": {
"id": "8889911",
"bcId": 28,
"firstName": "B2B",
"lastName": "User",
"email": "user@example.com"
}
}
}
}
}
Body
storeHashstring
requiredThe unique store hash for the BigCommerce store.>= 1 charactersExample: 1234abcdchannelIdnumber
requiredThe storefront channel ID associated with the storefront login session. Use 1 for your store’s default storefront channel.Example: 1000234Default: 1
namestring
requiredThe internal name assigned to the generated storefront authToken.>= 1 charactersExample: customer storefront tokenemailstring
requiredThe email address associated with the user's account.>= 1 charactersExample: user@example.compasswordstring
requiredThe password associated with the user's account.>= 1 charactersExample: MyPassword123beginAtinteger
The Unix timestamp indicating when the storefront authToken starts being valid.Example: 1721900486endAtinteger
The Unix timestamp indicating when the storefront authToken is no longer valid.Example: 1721900486
example
Response
Body
codenumber
Default: 200
dataobject
example
See something you can improve? Edit this file on GitHub