X-Scalev-Storefront-Api-Keyidentifies the store and allows anonymous public storefront routes.X-Scalev-Guest-Tokenkeeps the same guest cart across page reloads.Authorization: Bearer <customer_access_token>authenticates a signed-in customer on/customers/me/*.
Storefront API key
A valid Storefront API key only enables runtime access when the business has an active Basic, Pro, or Ultimate plan. Free, Lite, inactive, or unpaid businesses can still configure keys and allowed origins, but public Storefront API calls return the sameStore not found response as an unknown store or invalid key.
Public storefront routes require:
Guest cart token
Guest cart routes return and accept:GET /public/cart or POST /public/cart/items without a guest token, then read X-Scalev-Guest-Token from the response headers.
X-Scalev-Guest-Token; X-Guest-Token is not part of the v3 Storefront API contract.
Customer auth model
Anonymous customer auth starts under:X-Scalev-Storefront-Api-Key because the browser is not signed in yet.
After login, account routes use the customer JWT:
gross_revenue, destination address, shipment fields, customer data, and order lines. They do not return business analytics, net revenue, platform fees, provider internals, CRM history, affiliate data, or raw metadata. The response also keeps the fields used by the Scalev customer portal, including store.name, store.logo, store.unique_id, store display flags, store payment_accounts for manual bank transfer instructions, final_variants, status_history, and dropshipper display totals.
Customer access and refresh tokens are browser-held credentials. Use a strict Content Security Policy, avoid untrusted third-party scripts, keep dependencies current, and sanitize any customer- or merchant-provided HTML before rendering it in the storefront.
Sign in
Start sign-in with:200 with customer tokens:
200 with a message. Show the one-time-code field and call:
Token refresh and logout
Refresh a customer session with:refresh value from the response and discard the previous one. Reusing an already-rotated refresh token revokes that token family and requires a new sign-in.
Revoke tokens with:
204 with an empty body.
Password reset
Request a password reset email with:Origin when the request comes from an allowed Storefront API origin. Requests without an Origin header fall back to the hosted storefront custom domain and use the same /reset-password?token=... path.
Save a new password with:
Rate limits
Storefront public routes are rate-limited as direct browser/client requests, including requests that sendX-Scalev-Storefront-Api-Key or X-Scalev-Guest-Token. They do not use the machine API key or OAuth app rate-limit bucket.
