Authentication
The Swish API uses access tokens to authenticate requests.
API requests are authenticated using the Bearer Auth scheme. To authenticate a request, provide the token in the Authorization
header of the request:
curl -H "Authorization: Bearer <your_access_token>" https://swish.app/api/2025-04/items
Please be sure to keep your API access tokens secure! Do not share them in emails, chat messages, client-side code or publicly accessible sites.
If you have accidentally shared an API access token publicly, you must contact our support team immediately.
Swish API access scopes
API access tokens can be scoped to a Shopify customer, a temporary session, or all store data when using an admin token.
Admin token
All third-party integrations require an admin token. This token can be use to access and manage all resources with the Swish API. They must be used in a secure environment and should never be shared.
An admin token can be used to create other tokens with limited access. This let's you provide an API token to a client with limited access to their data only.
Load user data with admin token
Using an admin token allows you to impersonate a customer or session with the Profile
header. This technique lets you access user data without generating a personal token for them. Ensure this method is only applied in secure environments, such as on a server.
curl -L \
--url 'https://swish.app/api/unstable/items' \
--header 'Authorization: Bearer JWT' \
--header 'Profile: gid://shopify/Customer/1234567890'
Customer token
A customer token is specific to an individual Shopify customer account. It can be shared with a client authenticated as a signed-in customer. These tokens may be stored in the client's local storage for the duration of their session. Ensure secure storage with restricted access is used for token management.
curl -L \
--request POST \
--url 'https://swish.app/api/2025-04/profiles/token' \
--header 'Authorization: Bearer <your admin token>' \
--header 'Content-Type: application/json' \
--data '{
"customer": "gid://shopify/Customer/1234567890"
}'
Session token
Session tokens function similarly to customer tokens, but they are intended for visitors who haven't signed in yet. These tokens provide access to Swish features without requiring a user to sign in. When you create a new token without specifying a profile, the API will automatically generate a new session for you.
curl -L \
--request POST \
--url 'https://swish.app/api/2025-04/profiles/token' \
--header 'Authorization: Bearer <your admin token>' \
--header 'Content-Type: application/json'
When a customer logs in, replace their session token with a customer token. To link the previous session to the new customer session, provide the the customer and session IDs when creating the customer token.
curl -L \
--request POST \
--url 'https://swish.app/api/2025-04/profiles/token' \
--header 'Authorization: Bearer <your admin token>' \
--header 'Content-Type: application/json' \
--data '{
"customer": "gid://shopify/Customer/1234567890",
"session": "gid://swish/Session/ebe9347c-6d2c-4d94-8542-d3a7e6e5ccd7"
}'
Last updated