The storefront API uses JWT tokens(access token) to authenticate requests. You can get the access token using either your API key or using a session token.
Your API keys carry many privileges, so be sure to keep them secure. Don't share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.
A customer will always land on the portal using a session token. They can receive this token via multiple flows like email notifications, generating a magic link, reactivation campaigns etc.
The following diagram shows how we can utilise the session token to get access to the portal.
Storefront Auth Flow
Tokens
- Session token - Entry token, expiry - 1 day
- Access token - Auth token for every storefront API, expiry - 4 days
- Refresh token - Used to rotate
access token, expiry - 30 days
A session token is used to get a refresh token and access token in a single API call. This is to save one API call per new login. Afterwards, the refresh token can be used to rotate the access token which will generate a fresh access token.
The access token can be used as a bearer token in the headers for authentication
--header 'Authorization: Bearer accessToken' \