Authentication

Introduction

Requests to the B2B Edition Storefront API are either anonymous or authenticated, depending on whether or not it requires access to a Company user’s data.

For example, you can create a Company account (opens in a new tab) anonymously because the action can be performed by a shopper without a user account, but creating a Shopping List (opens in a new tab) must be authenticated since the action is tied to a particular Company account and user.

The B2B Edition Storefront API includes endpoints to generate an authToken with or without specifying an existing Company user. Use the appropriate endpoint to authenticate your requests to Storefront REST APIs and StorefrontGraphQL APIs. Note that storefront authTokens expire after 1 day.

The BigCommerce GraphQL Storefront API (opens in a new tab) requires different authentication tokens for client- and server-side contexts. With the B2B GraphQL API, authentication tokens are always in the context of a specific user, and they don’t rely on storefront cookies.

As a result, these can be used in a client-side and server-side context. This means that you don’t have to change your authentication strategy for requests from the client or a server.

While the Storefront authentication endpoints can be used in either experience, it is best practice to get storefront authTokens via the GraphQL login and authorization mutations if you are developing on the Buyer Portal experience.

The legacy Stencil storefront experience is built to use Storefront endpoints instead of GraphQL mutations, but it can also use GraphQL for authentication-based customizations. For more information on GraphQL structure and usage, see the GraphQL Playground (opens in a new tab).