When working on VTEX IO apps, you generally won't have to make direct requests to VTEX APIs. This is because VTEX IO already provides convenient access to VTEX APIs through pre-defined clients. Hence, using application keys within your app will often be unnecessary. When necessary, the recommended approach involves employing authentication tokens.
We recommend using the VTEX IO clients package when possible. In this context, every client method accepts an optional argument called authMethod, which receives one of three authentication options, indicating which token will be used in this request.
The tokens are available via the VTEX IO context and are associated with different permissions.
You can import the context in your app as in the following: import { IOContext } as ctx from '@vtex/api'. See the table below to learn about each token.
| Token | authMethod | Via context | Description | Permissions |
|---|---|---|---|---|
| App authentication token (default) | AUTH_TOKEN | ctx.authToken | Every VTEX IO app has its own temporary authentication token. We recommend you avoid using this app token whenever user tokens are available. | Permissions declared in the policies in your app's manifest. In this file, developers must declare precisely what actions are allowed for the app they are building. |
| Store user token | STORE_TOKEN | ctx.storeUserAuthToken | User token with store scope. | Shopper permissions. |
| Admin user token | ADMIN_TOKEN | ctx.adminUserAuthToken | User token with Admin scope. | Administrative permissions as defined by License Manager roles associated with the logged in user. |
If your project requires features not provided by the available clients, we recommend creating your own clients following the same authentication logic.
Authenticate your apps' actions with user tokens whenever possible. Currently, app authentication tokens are not subject to License Manager permissions. We recommend that you consider this when defining your app's architecture and configuring policies.