CustomerAccessToken

The customer’s access token.

The date and time when the customer access token expires.

For legacy customer accounts only.

Creates a CustomerAccessToken using the customer's email and password. The access token is required to read or modify the Customer object, such as updating account information or managing addresses.

The token has an expiration time. Use customerAccessTokenRenew to extend the token before it expires, or create a new token if it's already expired.

Caution: This mutation handles customer credentials. Always transmit requests over HTTPS and never log or expose the password.

Creates a CustomerAccessToken using a multipass token instead of email and password. This enables single sign-on for customers who authenticate through an external system.

If the customer doesn't exist in Shopify, then a new customer record is created automatically. If the customer exists but the record is disabled, then the customer record is re-enabled.

Caution: Multipass tokens are only valid for 15 minutes and can only be used once. Generate tokens on-the-fly when needed rather than in advance.

Extends the validity of a CustomerAccessToken before it expires. The renewed token maintains authenticated access to customer operations.

Renewal must happen before the token's expiresAt time. If a token has already expired, then use customerAccessTokenCreate to generate a new token with the customer's credentials.

Caution: Store access tokens securely. Never store tokens in plain text or insecure locations, and avoid exposing them in URLs or logs.

Activates a customer account using an activation token received from the customerCreate mutation. The customer sets their password during activation and receives a CustomerAccessToken for authenticated access.

For a simpler approach that doesn't require parsing the activation URL, use customerActivateByUrl instead.

Caution: This mutation handles customer credentials. Always use HTTPS and never log or expose the password or access token.

Activates a customer account using the full activation URL from the customerCreate mutation. This approach simplifies activation by accepting the complete URL directly, eliminating the need to parse it for the customer ID and activation token. Returns a CustomerAccessToken for authenticating subsequent requests.

Caution: Store the returned access token securely. It grants access to the customer's account data.

Resets a customer's password using the reset token from a password recovery email. On success, returns the updated Customer and a new CustomerAccessToken for immediate authentication.

Use the customerRecover mutation to send the password recovery email that provides the reset token. Alternatively, use customerResetByUrl if you have the full reset URL instead of the customer ID and token.

Caution: This mutation handles sensitive customer credentials. Validate password requirements on the client before submission.

Resets a customer's password using the reset URL from a password recovery email. The reset URL is generated by the customerRecover mutation.

On success, returns the updated Customer and a new CustomerAccessToken for immediate authentication.

Caution: This mutation handles customer credentials. Ensure the new password is transmitted securely and never logged or exposed in client-side code.

Updates a customer's personal information such as name, password, and marketing preferences. Requires a valid CustomerAccessToken to authenticate the customer making the update.

If the customer's password is updated, then all previous access tokens become invalid. The mutation returns a new access token in the payload to maintain the customer's session.

Caution: Password changes invalidate all existing access tokens. Ensure your app handles the new token returned in the response to avoid logging the customer out.