Authentication
Last updated
Last updated
The Swish API uses access tokens to authenticate requests.
API requests are authenticated using the . To authenticate a request, provide the token in the Authorization header of the request:
Please be sure to keep your API access tokens secure! Do not share them in emails, chat messages, client-side code or publicly accessible sites.
If you have accidentally shared an API access token publicly, you must team immediately.
API access tokens can be scoped to a Shopify customer, a temporary session, or all store data when using an admin token.
All third-party integrations require an admin token. This token can be use to access and manage all resources with the Swish API. They must be used in a secure environment and should never be shared.
An admin token can be used to with limited access. This let's you provide an API token to a client with limited access to their data only.
Using an admin token allows you to impersonate a customer or session with the Profile header. This technique lets you access user data without generating a personal token for them. Ensure this method is only applied in secure environments, such as on a server.
A customer token is specific to an individual Shopify customer account. It can be shared with a client authenticated as a signed-in customer. These tokens may be stored in the client's local storage for the duration of their session. Ensure secure storage with restricted access is used for token management.
Session tokens function similarly to customer tokens, but they are intended for visitors who haven't signed in yet. These tokens provide access to Swish features without requiring a user to sign in. When you create a new token without specifying a profile, the API will automatically generate a new session for you.
When a customer logs in, replace their session token with a customer token. To link the previous session to the new customer session, provide the the customer and session IDs when creating the customer token.