The login mutation in the GraphQL Storefront API serves to authenticate a set of customer credentials. When using the login mutation in a server-to-server context, the mutation will return a customer access token.
If the login mutation request is from a browser, a customer access token will not be returned. Instead, the authenticated session state will be tracked by a cookie.
The customer access token will be returned if authentication is successful. Otherwise, an error will be returned in the typical GraphQL response format.
When multi-channel support is enabled for a store, the GraphQL request context, store settings, and assigned customer channels are all important for customer authentication.
login mutation is authenticating a customer for.allow_global_logins, which determines whether login is allowed for customer accounts not assigned to that channel. If this setting is TRUE for the channel you’re logging in on, authentication will succeed regardless of the customer’s assigned channels.channel_ids field includes that channel.The error message returned will not indicate whether customer authentication failed because of incorrect credentials or because the customer is not authorized for the channel.
The allow_global_logins setting can only be inspected and set using the REST Management API.
The current customer context is important for a number of GraphQL operations. As previously noted, the basic customer details fetched with the customer query is based on this context rather than any explicit argument.
The customer context is established in one of two ways:
SHOP_SESSION_TOKEN cookie is authenticated with the customer account on a successful login mutation. Subsequent requests then receive this customer context when this cookie is included. As a reminder, it is recommended not to rely on this cookie in your storefront implementation, including for customer session state.X-Bc-Customer-Access-Token establishes the customer on whose behalf the request is made.The Authorization: Bearer token differs depending on context. Client-side requests use a Storefront Token (generated via /v3/storefront/api-token), while server-side requests use a Private Token (generated via /v3/storefront/api-token-private).
The following is an example request with a customer access token.
POST https://{{storeDomain}}/graphql
Headers:
Body:
Note that you can use a customer impersonation token to perform queries or mutations on behalf of any customer by using their userId, but the more secure option is to use the customer access token as shown in the example above. A customer impersonation token must only be used in server-side contexts where they will not be publicly exposed.
So far, we’ve examined the relevance of the current customer context to the basic customer query. However, any query or mutation involving potentially customer-specific data will be affected by the same context mechanism.
Including the X-Bc-Customer-Access-Token header in GraphQL requests will have effects in scenarios like the following.
site.categoryTree query. Products not assigned to a category the customer can access will not be included in the results of a site.search.searchProducts query.basePrice and price items in a product’s prices field.When the X-Bc-Customer-Access-Token header is provided when using the createCartRedirectUrls mutation, the resulting redirect URL will not only load the contents of the cart but will also automatically log the user into the corresponding customer session.