Rebrand 2023 Learn more 

  • Commerce Cloud/


    Store administrators and team members share responsibility for keeping a store secure.

    User Credentials

    Store admins receive their user credentials from Elastic Path to log in to Composable Commerce. Store admins can invite team members to work on a store.

    After a team member receives an invitation to a Composable Commerce store, they register and create their username and password. Store admins do not have access to the user credentials of the team members.

    Never share your user credentials.

    API Authentication Credentials

    All API requests must contain a generated access token for authentication purposes. To generate an access token, you need your API keys. API keys are the client ID and client secret. Access tokens expire after a predefined period of time. Application keys are used manage your own keys directly. They are not associated to a specific user, and are identified based on their names.

    Never share your API keys or generated access tokens.

    You can generate different types of access tokens based on the level of access needed for a particular task.

    • client_credentials token - Enables full access to all resources in the store. Use this type of token to create, read, update, or delete resources by using the API.
    • implicit token - Enables read access to resources in the store. Use this type of token to perform actions that a store customer would do, that is, access live resources available from the storefront.

    In addition, a customer token is required to access a customer profile, including addresses and order history when using an implicit token.

    Removing a team member removes the unique ClientID and Client Secret associated with that team member.

    Application Keys

    Application keys are used to directly manage access to Organizations and stores. These keys are identified based on their names, and are not associated with a user.

    The following table describes the management of application keys for organizations and stores.

    Application keys are granted the same permissions as Org Admins.Application keys are granted the same permissions as Store Admins.
    Org Admins can view and manage the list of application keys in their organization and all stores belonging to that organization.Store Admins can view and manage the list of application keys within the store.
    Application keys can be used to manage access to an organization and all stores in the organization.Application keys can be used to manage access to a store.

    You can use application keys to generate client_credentials and implicit tokens. Unlike User Credentials, Application keys are still valid even after a team member is removed from a store or organization.

    To create your application key, see Creating an Application Key.

    Best Practices for Application Keys

    • Use a descriptive name for the application key associated with its purpose.
    • Create a unique application key each for the storefront and back-end interactions.
    • Do not embed API keys directly in code.
    • Do not store API keys in files inside your application's source tree.
    • Regularly review and delete any unused application keys.

    Single Sign-on

    Single sign-on allows authentication with Commerce using an external authentication provider. Using an existing authentication provider allows for integration with company-specific or customizable authentication systems. In some cases, it can also simplify the log-in experience because they don’t need to remember another password. For more information, see Single Sign-on.

    Was this helpful?