BigCommerce Docs

Creates a Storefront API token. This endpoint creates storefront tokens that support CORS via allowed_cors_origins and are intended for browser-based applications.

For server-to-server integrations, you must use the private token endpoint instead.

Required Scopes

Manage Storefront API Tokens

NOTE: While neither channel_id nor channel_ids is labelled as required, one must be included in the request body. Including neither will throw an error, and including both will result in unexpected behaviors.

Creates a Storefront API token. This endpoint creates storefront tokens that support CORS via `allowed_cors_origins` and are intended for browser-based applications. For server-to-server integrations, you must use the [private token endpoint](#operation/createPrivateToken) instead. **Required Scopes** * `Manage` `Storefront API Tokens` > NOTE: While neither `channel_id` nor `channel_ids` is labelled as required, one must be included in the request body. Including neither will throw an error, and including both will result in unexpected behaviors.

Authentication

X-Auth-Tokenstring

OAuth scopes

UI Name	Permission	Parameter
Storefront API Customer Impersonation Tokens	manage	`store_storefront_api_customer_impersonation`
Storefront API Tokens	manage	`store_storefront_api`

Authentication header

Header	Argument	Description
`X-Auth-Token`	`access_token`	For more about API accounts that generate `access_token`s, see our Guide to API Accounts.

### OAuth scopes | UI Name | Permission | Parameter | |:--------|:-----------|:----------| | Storefront API Customer Impersonation Tokens | manage | `store_storefront_api_customer_impersonation` | | Storefront API Tokens | manage | `store_storefront_api` | ### Authentication header | Header | Argument | Description | |:-------|:---------|:------------| | `X-Auth-Token` | `access_token` | For more about API accounts that generate `access_token`s, see our [Guide to API Accounts](/developer/docs/overview/api-fundamentals/api-accounts). | ### Further reading For example requests and more information about authenticating BigCommerce APIs, see [Authentication and Example Requests](/developer/docs/overview/api-fundamentals/api-accounts). For more about BigCommerce OAuth scopes, see our [Guide to API Accounts](/developer/docs/overview/api-fundamentals/api-accounts#oauth-scopes).

Path parameters

store_hashstringRequired

Permanent ID of the BigCommerce store.

Request

This endpoint expects an object.

expires_atintegerRequired>=0

Unix timestamp (UTC time) defining when the token should expire. Supports seconds, but does not support milliseconds, microseconds, or nanoseconds.

allowed_cors_originslist of stringsOptional

List of allowed domains for Cross-Origin Request Sharing. Currently accepts a maximum of two domains per created token.

Response

dataobject

metaobject

Response metadata.

$	curl -X POST https://api.bigcommerce.com/stores/store_hash/v3/storefront/api-token \
>	-H "X-Auth-Token: <apiKey>" \
>	-H "Content-Type: application/json" \
>	-d '{
>	"expires_at": 1711929600,
>	"allowed_cors_origins": [
>	"https://www.example-storefront.com"
>	],
>	"channel_ids": [
>	101,
>	205
>	]
>	}'

1	{
2	"data": {
3	"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkV4YW1wbGUgU3RvcmVmb250IFRva2VuIiwiaWF0IjoxNjc4MjQwMDAwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
4	},
5	"meta": {}
6	}