PAPI-3173 - Introduce private token authentication and deprecate simple token for S2S requests#1245
Conversation
…le/storefront tokens for S2S requests
There was a problem hiding this comment.
Pull request overview
This pull request introduces private tokens for server-to-server integrations with the GraphQL Storefront API and deprecates the use of storefront tokens in server-to-server contexts. The changes include new API endpoints, comprehensive documentation updates, and clear migration guidance for developers.
Changes:
- Added a new
/storefront/api-token-privateendpoint with POST and DELETE operations for creating and revoking private tokens - Added deprecation notices across API reference and documentation indicating that storefront tokens will no longer be usable statelessly in server-to-server contexts after a future deprecation date
- Updated all relevant documentation to recommend private tokens for server-to-server use cases while maintaining storefront tokens for browser-based applications
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| reference/storefront_tokens.v3.yml | Added private token endpoint definitions (create/revoke), updated descriptions to clarify token types, and added deprecation notice for storefront tokens in S2S contexts |
| docs/storefront/headless/customers.mdx | Updated to recommend private tokens with customer access tokens for headless/server-side code |
| docs/storefront/headless/channels.mdx | Clarified token usage patterns: private tokens for S2S, customer impersonation for S2S with customer data, storefront tokens for browsers |
| docs/storefront/graphql/index.mdx | Added deprecation warning for storefront tokens in S2S contexts and updated guidance to recommend private tokens |
| docs/start/authentication/graphql-storefront.mdx | Added comprehensive private tokens section with creation examples, security guidance, and updated all S2S recommendations to use private tokens |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…le/storefront tokens for S2S requests
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…on descriptions and remove private token revocation endpoint
…-token-introduction' into PAPI-3173_strf-stateless-private-token-introduction
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…rove clarity in JWT payload examples
…orrect JSON structure by nesting the token under a "data" key
…lder comments in the "meta" field for improved clarity
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
6juara9
left a comment
6juara9
left a comment
There was a problem hiding this comment.
Overall Looks good, some minor comments
…rror handling for insufficient access scopes. Updated instructions for creating private tokens to include required scopes.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
…ostPrivate schema, added required scopes for private tokens, and clarified access scope identifiers.
…ntation, specifying that requests with no scopes will be rejected by the API.
…dentifiers and required fields
…g server-to-server use
…-token-introduction' into PAPI-3173_strf-stateless-private-token-introduction
krzysztof-maziarka-bc
deleted the
PAPI-3173_strf-stateless-private-token-introduction
branch
Jira: PAPI-3173
What changed?
Release notes draft
Anything else?
Related to: https://github.com/bigcommerce/developer-center/pull/1346