Store API Accounts
Some apps and integrations require special permissions to communicate with or make changes to your store. These permissions are provided in the form of API accounts (also referred to as OAuth tokens or keys) that can be created directly from your control panel.
Most apps available in the App Marketplace are Single-Click apps, which don’t require the added steps of creating a dedicated API account, and then supplying those credentials to a third party.
Creating an API Account
To create API accounts, you must be logged in as the store owner.
1. Go to Settings › API Accounts and click + Create API Account.
A maximum of 50 accounts can be created per store.
2. Select the Account type. This will determine whether the new account is a V2/V3 API token or a Stencil-CLI token, used in theme customization. For stencil-CLI tokens, you can select the access level. For more information, see Live Previewing a Theme in the Dev Center.
3. Enter a Name for the app/integration corresponding to this account, then copy or make a note of the API path — you'll need it to use the API account. The name can be a minimum of four characters long.
4. Under OAuth Scopes, specify the API resources and permissions to which your app/integration requires access.
We offer a variety of OAuth Scopes for customizing and controlling access to your store's data. For more information, see our API Documentation.
5. When you’re done making changes, click Save. A successful save will display the pop-up shown below. It will contain the API credentials that your app will need for OAuth access, and you will be prompted by your browser to download a .txt file containing the same credentials for safekeeping on your computer.
Keep your credentials! There is no way to return to this pop-up after you select Done to dismiss it. Make sure you store your credentials – either by copying/pasting the contents of each field out of the pop-up or by keeping the downloaded .txt file. We recommend adding the API Path value from Step 2 to these credentials, as it is used for all API calls using the token.
Deleting an API Account
To delete a Store API account, click the … button, then select Delete from the menu.
Webhooks are a method for changing the behavior of a web page or app with custom callbacks triggered by user activity. Once you have created an API account, you will be able to view which webhooks are active or inactive on the store, which webhooks are currently blocklisted, and which domains are associated with a store.
To view the webhooks associated with an API account, click the … button, then select Edit from the menu.
You will see a list of webhook events, along with the Destination URL, Created date, and Status for each event.
To help in managing webhook events, you can set up notification emails to be sent whenever one or more events occur. This allows you to be notified whenever a webhook is deactivated or when a domain is blocklisted, allowing you to respond quickly when any issues arise.
You can enter in multiple email addresses separated by a comma. When you are ready, click Save.
As an app developer, what authentication options are there?
Any apps intended for sale on the BigCommerce App Marketplace must use OAuth. OAuth is compatible with all current and planned BigCommerce APIs, including v2 Webhooks and our v3 API. For more information, see our documentation on Authentication in the Dev Center.
Can I create API accounts in my trial store?
Yes, store owners can create API accounts in trial stores.
How can I enable a Legacy API account to use an app that requires it?
Legacy API accounts can no longer be created in the control panel. We recommend reaching out to the app provider about updating their integration to use Store API accounts.
If an API account is deleted, can I still modify the webhooks associated with it?
No. Any associated webhooks will become automatically deactivated after 48 hours, as the server stops responding with 200 statuses.
How can I tell which API permissions are handled by a particular OAuth Scope?
Below is a list of all available OAuth Scopes with a summary of each scope's permissions. Keep in mind that some scopes are restricted, such as store logs to read-only.
- Content — view and modify store content, such as web pages, blog posts, and widgets
- Checkout Content — read and create scripts on the checkout page
- Customers — manage customers, customer groups, and wish lists
- Customers Login — manage customers, log in to customer accounts on the storefront
- Information & Settings — manage store information, such as store profile contact details, date and time preferences, and default language
- Marketing — view and modify marketing banners, coupon codes, and gift certificates
- Orders — manage orders and update order statuses
- Order Transactions — view details about the payment instruments used to pay for an order
- Create Payments — process payment for an order
- Get Payment Methods — access a list of accepted payment methods for an order
- Stored Payment Instruments — view a customer’s stored payment methods
- Products — view and modify product information, including images, variants and modifiers, categories, brands, and Price Lists
- Themes — back up, restore, download, and apply themes to the storefront
- Carts — view and create carts on the storefront
- Checkouts — create checkouts from existing carts on the storefront
- Sites & Routes — link headless storefronts to sales channels and manage linked pages within the headless storefront
- Channel Settings — view and modify marketplace, POS, and storefront channels connected to your store
- Channel Listings — manage catalog differences across different storefronts and marketplaces
- Storefront API Tokens — create tokens used to authenticate cross-origin requests to the GraphQL Storefront API
- Storefront API Customer Impersonation Tokens — create tokens that allow you to view the GraphQL Storefront API as a specific customer
- Store Logs — view store logs of staff activity and system events