Store administrators and team members share responsibility for keeping a store secure.
Store admins receive their user credentials from Elastic Path to log in to Commerce Cloud. Store admins can invite team members to work on a store.
After a team member receives an invitation to a Commerce Cloud store, they register and create their username and password. Store admins do not have access to the user credentials of the team members.
Never share your user credentials.
API Authentication Credentials
All API requests must contain a generated access token for authentication purposes. To generate an access token, you need your API keys. API keys are the client ID and client secret. Access tokens expire after a predefined period of time. Application keys are used manage your own keys directly. They are not associated to a specific user, and are identified based on their names.
Never share your API keys or generated access tokens.
You can generate different types of access tokens based on the level of access needed for a particular task.
client_credentialstoken - Enables full access to all resources in the store. Use this type of token to create, read, update, or delete resources by using the API.
implicittoken - Enables read access to resources in the store. Use this type of token to perform actions that a store customer would do, that is, access live resources available from the storefront.
In addition, a
customer token is required to access a customer profile, including addresses and order history.
- To manage the customer profile from the server side, use the
customertoken with the
- To access the customer profile from the client side, use the
customertoken with the
Removing a team member removes the unique ClientID and Client Secret associated with that team member.
Application keys are used to manage access to a store directly. They are granted the same permissions as store admins. They are identified based on their names, and are not associated with a user.
All store admins can view and manage the list of keys in a store. You can use application keys to generate
implicit tokens. Unlike User Credentials, Application keys are still valid even after a team member is removed from a store. To create your application key, see Create an Application Key.
- Use a descriptive name for the application key associated with its purpose.
- Create a unique application key each for the storefront and back-end interactions.
- Do not embed API keys directly in code.
- Do not store API keys in files inside your application's source tree.
- Delete unused application keys.