Storefront Tokens

Storefront tokens are API keys that authenticate requests to the Storefront API. Each token grants read access to your storefront data for a specific market.

Managing tokens

Tokens can be managed at two levels:

• Tenant-level — Under Settings → Storefront. These tokens are shared across all markets.
• Market-level — Under Settings → Markets → Market → Storefront. These tokens are scoped to a specific market.

Generating a token

1. Navigate to the token management page (tenant or market level).
2. Click Generate Token.
3. Enter a Name for the token (e.g., "Production Website", "Staging Environment").
4. Optionally add Allowed Origins (CORS) to restrict which domains can use this token.
5. Click Create.

A modal displays the generated token. Copy it immediately — you won't be able to see the full token again.

CORS restrictions

Each token can have allowed origins that restrict which domains can make API requests:

• Add specific domains (e.g., https://www.example.com) to restrict access.
• Leave origins empty to allow requests from any domain — this is suitable for development but not recommended for production.

A token with no CORS restrictions shows a warning: "Allows all origins (Development)".

Adding origins

1. In the token creation form, enter a domain in the origin field.
2. Click Add Origin to add more domains.
3. Each domain is validated and stored with the token.

Token states

Editing a token

1. Click on an active token to open the edit form.
2. Update the Name or Allowed Origins.
3. Click Save Changes.

Revoking a token

Revoking a token immediately disables it. Any application using the token will lose access.

1. Click the revoke action on a token.
2. Confirm the revocation.

Token metadata

Each token displays:

• Created — When the token was generated.
• Last used — When the token was last used for an API request.
• Allowed Origins — The domains permitted to use this token.