• Authentication/
    Security

    Security

    Store administrators and team members share responsibility for keeping a store secure.

    User Credentials

    Store admins receive their user credentials from Elastic Path to log in to Commerce Cloud. Store admins can invite team members to work on a store.

    After a team member receives an invitation to a Commerce Cloud store, they register and create their username and password. Store admins do not have access to the user credentials of the team members.

    Never share your user credentials.

    API Authentication Credentials

    All API requests must contain a generated access token for authentication purposes. To generate an access token, you need your API keys. API keys are the client ID and client secret. Access tokens expire after a predefined period of time. Application keys are used manage your own keys directly. They are not associated to a specific user, and are identified based on their names.

    Never share your API keys or generated access tokens.

    You can generate different types of access tokens based on the level of access needed for a particular task.

    • client_credentials token - Enables full access to all resources in the store. Use this type of token to create, read, update, or delete resources by using the API.
    • implicit token - Enables read access to resources in the store. Use this type of token to perform actions that a store customer would do, that is, access live resources available from the storefront.

    In addition, a customer token is required to access a customer profile, including addresses and order history.

    • To manage the customer profile from the server side, use the customer token with the client_credential token.
    • To access the customer profile from the client side, use the customer token with the implicit token.

    Removing a team member removes the unique ClientID and Client Secret associated with that team member.

    Application Keys

    Application keys are used to manage access to a store directly. They are granted the same permissions as store admins. They are identified based on their names, and are not associated with a user. All store admins can view and manage the list of keys in a store. You can use application keys to generate client_credentials and implicit tokens. Unlike User Credentials, Application keys are still valid even after a team member is removed from a store. To create your application key, see Creating an Application Key.

    Best practices

    • Use a descriptive name for the application key associated with its purpose.
    • Create a unique application key each for the storefront and back-end interactions.
    • Do not embed API keys directly in code.
    • Do not store API keys in files inside your application's source tree.
    • Delete unused application keys.

    Single Sign-on

    Single sign-on allows authentication with Elastic Path Commerce Cloud using an external authentication provider. Using an existing authentication provider allows for integration with company-specific or customizable authentication systems. In some cases, it can also simplify the log-in experience because they don’t need to remember another password. For more information, see Single Sign-on.

    Was this helpful?