Security
Store administrators and team members share responsibility for keeping a store secure.
User Credentials
Store admins receive their user credentials from Elastic Path to log in to Composable Commerce. Store admins can invite team members to work on a store.
After a team member receives an invitation to a Composable Commerce store, they register and create their username and password. Store admins do not have access to the user credentials of the team members.
Never share your user credentials.
API Authentication Credentials
All API requests must contain a generated access token for authentication purposes. To generate an access token, you need your API keys. API keys are the client ID and client secret. Access tokens expire after a predefined period of time. Application keys are used manage your own keys directly. They are not associated to a specific user, and are identified based on their names.
Never share your API keys or generated access tokens.
You can generate different types of access tokens based on the level of access needed for a particular task.
client_credentials
token - Enables full access to all resources in the store. Use this type of token to create, read, update, or delete resources by using the API.implicit
token - Enables read access to resources in the store. Use this type of token to perform actions that a store customer would do, that is, access live resources available from the storefront.
In addition, an account
or customer
token is required to access a shopper profile, including addresses and order history when using an implicit
token.
Removing a team member removes the unique ClientID and Client Secret associated with that team member.
Single Sign-on
Single sign-on allows authentication with Commerce using an external authentication provider. Using an existing authentication provider allows for integration with company-specific or customizable authentication systems. In some cases, it can also simplify the log-in experience because they don’t need to remember another password. For more information, see Single Sign-on.