BigCommerce Docs

Required Scopes

Manage Storefront API Tokens

NOTE: While neither channel_id nor channel_ids is labelled as required, one must be included in the request body. Including neither will throw an error, and including both will result in unexpected behaviors.

Creates a private token for server-to-server integrations. Private tokens are always stateless (no session required) and provide better performance for server-to-server use cases. The API will reject private token-authenticated requests that originate from web browsers. **Required Scopes** * `Manage` `Storefront API Tokens` > NOTE: While neither `channel_id` nor `channel_ids` is labelled as required, one must be included in the request body. Including neither will throw an error, and including both will result in unexpected behaviors.

Authentication

X-Auth-Tokenstring

OAuth scopes

UI Name	Permission	Parameter
Storefront API Customer Impersonation Tokens	manage	`store_storefront_api_customer_impersonation`
Storefront API Tokens	manage	`store_storefront_api`

Authentication header

Header	Argument	Description
`X-Auth-Token`	`access_token`	For more about API accounts that generate `access_token`s, see our Guide to API Accounts.

### OAuth scopes | UI Name | Permission | Parameter | |:--------|:-----------|:----------| | Storefront API Customer Impersonation Tokens | manage | `store_storefront_api_customer_impersonation` | | Storefront API Tokens | manage | `store_storefront_api` | ### Authentication header | Header | Argument | Description | |:-------|:---------|:------------| | `X-Auth-Token` | `access_token` | For more about API accounts that generate `access_token`s, see our [Guide to API Accounts](/developer/docs/overview/api-fundamentals/api-accounts). | ### Further reading For example requests and more information about authenticating BigCommerce APIs, see [Authentication and Example Requests](/developer/docs/overview/api-fundamentals/api-accounts). For more about BigCommerce OAuth scopes, see our [Guide to API Accounts](/developer/docs/overview/api-fundamentals/api-accounts#oauth-scopes).

Request

This endpoint expects an object.

expires_atintegerRequired>=0

Unix timestamp (UTC time) defining when the token should expire. Supports seconds, but does not support milliseconds, microseconds, or nanoseconds.

scopeslist of enumsRequired

Access scope identifiers. Required for private tokens. Include all scopes required by the GraphQL fields you need.

Allowed values:

Response

dataobject

metaobject

Response metadata.

1	curl -X POST https://api.bigcommerce.com/stores/store_hash/v3/storefront/api-token-private \
2	-H "X-Auth-Token: <apiKey>" \
3	-H "Content-Type: application/json" \
4	-d '{
5	"expires_at": 1711929600,
6	"scopes": [
7	"Unauthenticated"
8	],
9	"channel_ids": [
10	101,
11	205
12	]
13	}'

1	{
2	"data": {
3	"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdG9yZWZyb250X3VzZXIiLCJleHAiOjE3MTE5Mjk2MDAsImlhdCI6MTY4OTY0MzIwMH0.4X9v1J7Q9vX9v1J7Q9vX9v1J7Q9vX9v1J7Q9vX9v1J7Q"
4	},
5	"meta": {}
6	}