Security

Store administrators and team members share responsibility for keeping a store secure.

Store admins receive their user credentials from Elastic Path to log in to Commerce Cloud. Store admins can invite team members to work on a store.

After a team member receives an invitation to a Commerce Cloud store, they register and create their username and password. Store admins do not have access to the user credentials of the team members.

All API requests must contain a generated access token for authentication purposes. To generate an access token, you need your API keys. API keys are the client ID and client secret. Access tokens expire after a predefined period of time. Application keys are used manage your own keys directly. They are not associated to a specific user, and are identified based on their names.

You can generate different types of access tokens based on the level of access needed for a particular task.

• client_credentials token - Enables full access to all resources in the store. Use this type of token to create, read, update, or delete resources by using the API.
• implicit token - Enables read access to resources in the store. Use this type of token to perform actions that a store customer would do, that is, access live resources available from the storefront.

In addition, a customer token is required to access a customer profile, including addresses and order history.

• To manage the customer profile from the server side, use the customer token with the client_credential token.
• To access the customer profile from the client side, use the customer token with the implicit token.

Application keys are used to manage access to a store directly. They are granted the same permissions as store admins. They are identified based on their names, and are not associated with a user. All store admins can view and manage the list of keys in a store. You can use application keys to generate client_credentials and implicit tokens. Unlike User Credentials, Application keys are still valid even after a team member is removed from a store. To create your application key, see Creating an Application Key.

• Use a descriptive name for the application key associated with its purpose.
• Create a unique application key each for the storefront and back-end interactions.
• Do not embed API keys directly in code.
• Do not store API keys in files inside your application's source tree.
• Delete unused application keys.

Single sign-on allows authentication with Elastic Path Commerce Cloud using an external authentication provider. Using an existing authentication provider allows for integration with company-specific or customizable authentication systems. In some cases, it can also simplify the log-in experience because they don’t need to remember another password. For more information, see Single Sign-on.

• Your first API request
• Authentication
• Application Keys