Authentication

The Swish API uses access tokens to authenticate requests.

Please contact our support team to request an admin token.

API requests are authenticated using the Bearer Auth scheme. To authenticate a request, provide the token in the Authorization header of the request:

curl -H "Authorization: Bearer <your_access_token>" https://swish.app/api/2025-04/items

Swish API access scopes

API access tokens can be scoped to a Shopify customer, a temporary session, or all store data when using an admin token.

Admin token

All third-party integrations require an admin token. This token can be use to access and manage all resources with the Swish API. They must be used in a secure environment and should never be shared.

An admin token can be used to create other tokens with limited access. This let's you provide an API token to a client with limited access to their data only.

Load user data with admin token

Using an admin token allows you to impersonate a customer or session with the Profile header. This technique lets you access user data without generating a personal token for them. Ensure this method is only applied in secure environments, such as on a server.

curl -L \
  --url 'https://swish.app/api/unstable/items' \
  --header 'Authorization: Bearer JWT' \
  --header 'Profile: gid://shopify/Customer/1234567890'

Customer token

A customer token is specific to an individual Shopify customer account. It can be shared with a client authenticated as a signed-in customer. These tokens may be stored in the client's local storage for the duration of their session. Ensure secure storage with restricted access is used for token management.

curl -L \
  --request POST \
  --url 'https://swish.app/api/2025-04/profiles/token' \
  --header 'Authorization: Bearer <your admin token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "customer": "gid://shopify/Customer/1234567890"
  }'

Session token

Session tokens function similarly to customer tokens, but they are intended for visitors who haven't signed in yet. These tokens provide access to Swish features without requiring a user to sign in. When you create a new token without specifying a profile, the API will automatically generate a new session for you.

curl -L \
  --request POST \
  --url 'https://swish.app/api/2025-04/profiles/token' \
  --header 'Authorization: Bearer <your admin token>' \
  --header 'Content-Type: application/json'

When a customer logs in, replace their session token with a customer token. To link the previous session to the new customer session, provide the the customer and session IDs when creating the customer token.

curl -L \
  --request POST \
  --url 'https://swish.app/api/2025-04/profiles/token' \
  --header 'Authorization: Bearer <your admin token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "customer": "gid://shopify/Customer/1234567890",
    "session": "gid://swish/Session/ebe9347c-6d2c-4d94-8542-d3a7e6e5ccd7"
  }'

Last updated