Skip to main content
Custom Storefront Tokens allow store owners to generate API keys that external developers can use to build custom storefronts. Tokens are scoped by domain, environment, and permissions.

POST /custom/tokens

Generate a new API token for a custom storefront domain.

Authentication

Requires Bearer token (auth:customer_api).

Headers

Body Parameters

Available Permissions

Development tokens are limited to read_products, read_categories, and read_store permissions only. Requesting other permissions for a development token will return an error.

Example Request

Response

Success (200)

The raw token value is only returned once at creation time. Store it securely — it cannot be retrieved again. The token is stored as a SHA-256 hash on the server.

Error Responses

Token Expiry


GET /custom/tokens

List all tokens for the authenticated customer’s store.

Authentication

Requires Bearer token (auth:customer_api).

Headers

Example Request

Response

Success (200)

The raw token value is never returned in list responses. Only metadata is shown.

DELETE /custom/tokens/

Revoke (deactivate) a token.

Authentication

Requires Bearer token (auth:customer_api).

Path Parameters

Example Request

Response

Success (200)

Error Responses


GET /custom/tokens//stats

Get usage statistics for a specific token.

Authentication

Requires Bearer token (auth:customer_api).

Path Parameters

Example Request

Response

Success (200)

Error Responses


POST /custom/tokens/validate

Validate a custom storefront token. This is a public endpoint that does not require Bearer authentication.

Authentication

None required. The token to validate is passed in the request body.

Headers

Body Parameters

Example Request

Response

Valid Token (200)

Error Responses

For production tokens, the Origin or Referer header of the request must match the domain registered with the token. Development tokens skip this check.

GET /custom/tokens/permissions

Get the permissions and metadata for a token identified by the X-Custom-Token header. This is a public endpoint.

Authentication

None required. Pass the token via the X-Custom-Token header.

Headers

Example Request

Response

Success (200)

Error Responses