BigCommerce provides Customer Identity and Access Management(CIAM) capabilities for managing access to BigCommerce resources. If I’m building an application that needs to work on any BigCommerce store, then I need a way for BigCommerce to tell my API who the customer is. To identify the shopper before exposing any sensitive information, my application should rely on something that the user can’t tamper with. To solve for this, BigCommerce provides the Current Customer API. The Current Customer API generates a JSON web token (JWT) that is signed by a secret shared only by my application and BigCommerce. If the shopper were to try to forge the token, my application could easily tell by validating the signature.
To retrieve an identity token from the current customer API, you will need:
- a BigCommerce client ID
- a BigCommerce client secret
Once you have your client ID, then you can use it to make a request from your browser to the Current Customer API.
Generate a token by using your browser to navigate to the Current Customer API endpoint:
- Navigate to your BigCommerce storefront, then log into a customer account.
- Once you’ve logged in, navigate to
/customer/current.jwt?app_client_id=<YOUR_APP_CLIENT_ID>
Copy the token and paste it into the debugger on https://jwt.io to read the content. You can even paste your client secret into the Verify Signature section to see the tool validate the token signature.
