If you wish to use the GraphQL Storefront API from an external system, such as a headless storefront, there are a few considerations:
There are three options for public URLs that you can use to run requests:
https://store.com/graphqlhttps://store-STOREHASH.mybigcommerce.com/graphqlIn this case, you should use the Channel’s Permanent URL of the form https://store-STOREHASH-CHANNELID.mybigcommerce.com/graphql. In order for the Channel’s Permanent URL to be available, you must create a Site for the channel.
For example, if your store hash is abc123 and your channel ID is 456, the correct URL would be https://store-abc123-456.mybigcommerce.com/graphql. Note that you must create your Storefront API Token with the same channel ID, or your request will be rejected.
In this case, use a standard Storefront API Token with the proper allowed origins set. Session cookies will provide customer context when it exists.
This is the same use case as the Vanilla JS + Bootstrap example.
In this case, use a Private Token without sending a X-Bc-Customer-Access-Token header.
Using a Private Token for server-side requests is a recent change to the BigCommerce GraphQL Storefront API. If you have existing integrations using standard Storefront Tokens for server-to-server requests, see the Authentication documentation for migration details.
In this case, use a Private Token and provide a customer access token in the X-Bc-Customer-Access-Token header.
When server-side requests are made from an application like a headless storefront, the required GraphQL Storefront interactions are often extensive and varied. A request for store settings, for example, may require no customer context. The majority of other requests likely do need a customer context if it exists; queries for catalog data may be affected by customer pricing or visibility, and cart and checkout operations are customer-specific. It’s common to simply provide a customer access token (if it exists) for all requests. If you instead choose to selectively include a customer access token for some requests and not others, make sure you carefully consider which requests are affected (or might be in the future) by customer context.