API Reference
Start typing to search…
  1. Storefront API

Overview

Authentication

The storefront API uses JWT tokens(access token) to authenticate requests. You can get the access token using either your API key or using a session token.

Your API keys carry many privileges, so be sure to keep them secure. Don't share your secret API keys in publicly accessible areas such as GitHub, client-side code, and so forth.

A customer will always land on the portal using a session token. They can receive this token via multiple flows like email notifications, generating a magic link, reactivation campaigns etc.

The following diagram shows how we can utilise the session token to get access to the portal.

Storefront authentication flow

Tokens

  • Session token - Entry token, expiry - 1 day
  • Access token - Auth token for every storefront API, expiry - 4 days
  • Refresh token - Used to rotate access token, expiry - 30 days

A session token is used to get a refresh token and access token in a single API call. This is to save one API call per new login. Afterwards, the refresh token can be used to rotate the access token which will generate a fresh access token.

The access token can be used as a bearer token in the headers for authentication

Login with Shopify customer account

Endpoint:
POST /a/loop_subscriptions/storefront/auth/accessToken

Description:
This endpoint validates the Shopify customer session and returns a Loop access token if the customer is authenticated.

Behavior:

  • Returns 401 Unauthorized if:

    • The customer is not logged into their Shopify account.
    • The customer does not exist in the Loop.

  • On success, returns an accessToken in the response payload.

Response Example (200 OK):

{
    "success": true,
    "message": "Access token generated successfully",
    "data": {
        "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyVHlwZSI6IkNVU1RPTUVSIiwidXNlcklkIjo2Mjg2NzE5NywidXNlclNob3BpZnlJZCI6NzMwMjg0MzMzNDgyOSwic3RvcmVJZCI6ODE2MiwibXlzaG9waWZ5RG9tYWluIjoiYmVjYXVzZW1hcmtldC1wcmdhasdkjn2jdkhqdsajhjkd1klxhdndkndasXh0IjpudWxsLCJpYXQiOjE3NDg5NTE3OTgsImV4cCI6MTc0OTI5NzM5OH0.cWxEG00rYhhU3jEA3Xrh9DEUQiXYzRQ07ThwypVd7ZM"
    }
}

Response Example (401 Unauthorized):

{
  "success":false,
  "message":"Unauthorized",
  "data":{}
}

Usage:
Use the returned accessToken to authenticate requests to the Loop Storefront API.

Note: This endpoint only works on the Shopify storefront.