---
title: Session Token API
description: The API for interacting with session tokens.
api_version: 2026-04
api_name: checkout-ui-extensions
source_url:
  html: >-
    https://shopify.dev/docs/api/checkout-ui-extensions/latest/target-apis/platform-apis/session-token-api
  md: >-
    https://shopify.dev/docs/api/checkout-ui-extensions/latest/target-apis/platform-apis/session-token-api.md
---

# Session Token API

The API for interacting with session tokens.

### Support Targets (33)

### Supported targets

* purchase.​address-autocomplete.​format-suggestion
* purchase.​address-autocomplete.​suggest
* purchase.​checkout.​actions.​render-before
* purchase.​checkout.​block.​render
* purchase.​checkout.​cart-line-item.​render-after
* purchase.​checkout.​cart-line-list.​render-after
* purchase.​checkout.​chat.​render
* purchase.​checkout.​contact.​render-after
* purchase.​checkout.​delivery-address.​render-after
* purchase.​checkout.​delivery-address.​render-before
* purchase.​checkout.​footer.​render-after
* purchase.​checkout.​header.​render-after
* purchase.​checkout.​payment-method-list.​render-after
* purchase.​checkout.​payment-method-list.​render-before
* purchase.​checkout.​pickup-location-list.​render-after
* purchase.​checkout.​pickup-location-list.​render-before
* purchase.​checkout.​pickup-location-option-item.​render-after
* purchase.​checkout.​pickup-point-list.​render-after
* purchase.​checkout.​pickup-point-list.​render-before
* purchase.​checkout.​reductions.​render-after
* purchase.​checkout.​reductions.​render-before
* purchase.​checkout.​shipping-option-item.​details.​render
* purchase.​checkout.​shipping-option-item.​render-after
* purchase.​checkout.​shipping-option-list.​render-after
* purchase.​checkout.​shipping-option-list.​render-before
* purchase.​thank-you.​announcement.​render
* purchase.​thank-you.​block.​render
* purchase.​thank-you.​cart-line-item.​render-after
* purchase.​thank-you.​cart-line-list.​render-after
* purchase.​thank-you.​chat.​render
* purchase.​thank-you.​customer-information.​render-after
* purchase.​thank-you.​footer.​render-after
* purchase.​thank-you.​header.​render-after

## StandardApi

The base API object provided to `purchase` extension targets.

* **sessionToken**

  **SessionToken**

  **required**

  The session token providing a set of claims as a signed JSON Web Token (JWT).

  The token has a TTL of five minutes.

  If the previous token expires, this value reflects a new session token with a new signature and expiry.

  Refer to [session token examples](https://shopify.dev/docs/api/checkout-ui-extensions/2026-04/apis/session-token) for more information.

### SessionToken

Authenticates requests between your extension and your app backend. Use session tokens to verify the identity of the buyer and the shop context when making server-side API calls. The token is a signed JWT that contains claims such as the customer ID, shop domain, and expiration.

* get

  Requests a session token that hasn't expired. You should call this method every time you need to make a request to your backend in order to get a valid token. This method returns cached tokens when possible, so you don't need to worry about storing these tokens yourself.

  ```ts
  () => Promise<string>
  ```

## use​Session​Token()

Returns a the session token API object.

### Returns

* **SessionToken**

  ### ### SessionTokenAuthenticates requests between your extension and your app backend. Use session tokens to verify the identity of the buyer and the shop context when making server-side API calls. The token is a signed JWT that contains claims such as the customer ID, shop domain, and expiration.

  * **get**

    **() => Promise\<string>**

    Requests a session token that hasn't expired. You should call this method every time you need to make a request to your backend in order to get a valid token. This method returns cached tokens when possible, so you don't need to worry about storing these tokens yourself.

Examples

### Examples

* #### Using a session token with fetch()

  ##### Description

  You can request a session token from Shopify to use on your application server. The contents of the token claims are signed using your shared app secret so you can trust the claims came from Shopify unaltered. > Note: You will need to \[enable the \`network\_access\` capability]\(/docs/api/checkout-ui-extensions/configuration#network-access) to use \`fetch()\`.

  ##### Preact

  ```jsx
  import '@shopify/ui-extensions/preact';
  import {render} from 'preact';
  import {useEffect} from 'preact/hooks';

  export default function extension() {
    render(<Extension />, document.body);
  }

  function Extension() {
    const {sessionToken} = shopify;

    useEffect(() => {
      async function queryApi() {
        // Request a new (or cached) session token from Shopify
        const token =
          await shopify.sessionToken.get();
        console.log('sessionToken.get()', token);

        const apiResponse =
          await fetchWithToken(token);
        // Use your response
        console.log('API response', apiResponse);
      }

      function fetchWithToken(token) {
        const result = fetch(
          'https://myapp.com/api/session-token',
          {
            headers: {
              Authorization: `Bearer ${token}`,
            },
          },
        );
        return result;
      }

      queryApi();
    }, [sessionToken]);

    return (
      <s-banner>
        See console for API response
      </s-banner>
    );
  }
  ```

* #### Session token claims

  ##### Description

  The contents of the token are signed using your shared app secret. The optional \`sub\` claim contains the customer's \`gid\` if they are logged in and your app has permission to read customer accounts. For example, a loyalty app that needs to check a customer's point balance can use the \`sub\` claim to verify the customer's account. > Caution: > Your app server can only trust the claims within the session token. It cannot use the token to trust the entire HTTP request. See \[security considerations]\(/docs/api/checkout-ui-extensions/configuration#network-access) for details.

  ##### session-token.jwt

  ```json
  {
    // Shopify URL
    "dest": "store-name.myshopify.com",
    // The Client ID of your app
    "aud": "<clientId>",
    // When the token expires.  Set at 5 minutes.
    "exp": 1679954053,
    // When the token was actived
    "nbf": 1679953753,
    // When the token was issued
    "iat": 1679953753,
    // A unique identifier (a nonce) to prevent replay attacks
    "jti": "6c992878-dbaf-48d1-bb9d-6d9b59814fd1",
    // Optional claim present when a customer is logged in and your app has permissions to read customer data
    "sub": "gid://shopify/Customer/<customerId>"
  }
  ```

## Related

[Reference - Targets](https://shopify.dev/docs/api/checkout-ui-extensions/targets)

[Reference - Components](https://shopify.dev/docs/api/checkout-ui-extensions/components)

[Reference - Configuration](https://shopify.dev/docs/api/checkout-ui-extensions/configuration)

[Learn - Tutorials](https://shopify.dev/apps/checkout)