1. Publishable key — identifies the store
- What it does: tells the API which store. Like Stripe’s publishable keys, it can live in the client (web/mobile).
- What it does NOT do: it does not authenticate a user and is rejected on
/admin/*and/super-admin/*. The blast radius of a leaked key is limited to the storefront. - Format:
cx_pk_<live|test>_<slug>_<random>. Usetestonly in development. - It can have origin restrictions and can be rotated/revoked by the operator.
2. Customer session — shopper account
For account areas (orders, addresses, wishlist, subscriptions) the customer logs in and gets a token:
Registration/login:
POST /auth/register, POST /auth/login (with 2FA if enabled),
POST /auth/refresh, Google OAuth. See the API Reference.
3. Staff token — Admin API
The/admin/* endpoints require a staff account (JWT) with the right permissions
(catalog, sales, customers, content, marketing, reports, tax, users, system…).
- The token carries the
tenant_idclaim: every session is bound to its store (leak-proof multi-tenant isolation). - Admin mutations are audit-logged.
- Publishable keys never grant access here.