Now that we have a comprehensive understanding of the project structure, it's important to address API authentication before we proceed with calling VTEX Core Commerce APIs. VTEX strongly advises against using the AppKey
and AppToken
pair in VTEX IO apps. Instead, the recommended practice involves utilizing the VTEX ID token.
Every app developed on VTEX IO represents a resource on the platform. This allows an app to interact with other systems on behalf of itself, duly authorized by the account administrator. It is the reponsibility of the app developer to declare the necessary permissions. In practical terms, this entails:
- Declaring both the endpoint and the roles required to access any API in the apps's
manifest.json
file. - Making request with a VTEX ID token instead of the AppKey and AppToken pair. For more information, refer to App authentication using auth tokens.
Logging the app token
Each VTEX IO app is issued a corresponding authToken
. This token can be obtained from the ctx
object and contains all the permissions declared in the policies
field of the app's manifest.json
file.
To inspect the authToken
of an app, go to the node/middlewares/validate.ts
file and add the highlighted log code.
Checking the app token
With the app linked to your development workspace, access the service route and check the content logged in the terminal. Use the following URL format: https://{workspace}-{account}.myvtex.com/_v/status/:code
, replacing {workspace}
and {account}
according to your scenario, and :code
with 200
Decoding the app token
Check the content of this token using a platform such as jwt.io. This decoded representation provides valuable details, including the associated account and workspace, user and role information, as well as timestamps for token validity.
Logging the app token
Each VTEX IO app is issued a corresponding authToken
. This token can be obtained from the ctx
object and contains all the permissions declared in the policies
field of the app's manifest.json
file.
To inspect the authToken
of an app, go to the node/middlewares/validate.ts
file and add the highlighted log code.
Checking the app token
With the app linked to your development workspace, access the service route and check the content logged in the terminal. Use the following URL format: https://{workspace}-{account}.myvtex.com/_v/status/:code
, replacing {workspace}
and {account}
according to your scenario, and :code
with 200
Decoding the app token
Check the content of this token using a platform such as jwt.io. This decoded representation provides valuable details, including the associated account and workspace, user and role information, as well as timestamps for token validity.