# Authentication The Swish API uses access tokens to authenticate requests. {% hint style="info" %} Please [contact our support](mailto:support@swish.app) team to request an admin token. {% endhint %} API requests are authenticated using the [Bearer Auth scheme](https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_schemes). To authenticate a request, provide the token in the `Authorization` header of the request: ```sh curl -H "Authorization: Bearer " https://swish.app/api/2025-04/items ``` {% hint style="warning" %} Please be sure to keep your API access tokens secure! Do not share them in emails, chat messages, client-side code or publicly accessible sites. If you have accidentally shared an API access token publicly, you must [contact our support](mailto:support@swish.app) team immediately. {% endhint %} ## Swish API access scopes API access tokens can be scoped to a Shopify customer, a temporary session, or all store data when using an admin token. ### Admin token All third-party integrations require an admin token. This token can be use to access and manage all resources with the Swish API. They must be used in a **secure environment** and **should never be shared**. An admin token can be used to [create profile tokens](https://developers.swish.app/api-reference/profiles#profiles-token) with limited access. These tokens can be shared with a client and may be stored there as well. {% hint style="warning" %} Profile tokens expire after one day and need to be replaced with a new token when that happens. {% endhint %} #### Load user data with admin token Using an admin token allows you to impersonate a customer or session with the `Profile` header. This technique lets you access user data without generating a personal token for them. Ensure this method is only applied in secure environments, such as on a server. ```sh curl -L \ --url 'https://swish.app/api/2025-04/items' \ --header 'Authorization: Bearer JWT' \ --header 'Profile: gid://shopify/Customer/1234567890' ``` ### Customer token A customer token is specific to an individual Shopify customer account. It can be shared with a client authenticated as a signed-in customer. These tokens may be stored in the client's local storage for the duration of their session. Ensure secure storage with restricted access is used for token management. ```sh curl -L \ --request POST \ --url 'https://swish.app/api/2025-04/profiles/token' \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' \ --data '{ "customer": "gid://shopify/Customer/1234567890" }' ``` ### Session token Session tokens function similarly to customer tokens, but they are intended for visitors who haven't signed in yet. These tokens provide access to Swish features without requiring a user to sign in. When you create a new token without specifying a profile, the API will automatically generate a new session for you. ```sh curl -L \ --request POST \ --url 'https://swish.app/api/2025-04/profiles/token' \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' ``` When a customer logs in, replace their session token with a customer token. To link the previous session to the new customer session, provide the the customer and session IDs when creating the customer token. ```sh curl -L \ --request POST \ --url 'https://swish.app/api/2025-04/profiles/token' \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' \ --data '{ "customer": "gid://shopify/Customer/1234567890", "session": "gid://swish/Session/ebe9347c-6d2c-4d94-8542-d3a7e6e5ccd7" }' ```