--- title: CustomerAccessToken - Storefront API description: > A unique authentication token that identifies a logged-in customer and authorizes modifications to the [`Customer`](/docs/api/storefront/unstable/objects/Customer) object. The token is required for customer-specific operations like updating profile information or managing addresses. Tokens have an expiration date and must be renewed using [`customerAccessTokenRenew`](/docs/api/storefront/unstable/mutations/customerAccessTokenRenew) before they expire. Create tokens with [`customerAccessTokenCreate`](/docs/api/storefront/unstable/mutations/customerAccessTokenCreate) using legacy customer account authentication (email and password), or with [`customerAccessTokenCreateWithMultipass`](/docs/api/storefront/unstable/mutations/customerAccessTokenCreateWithMultipass) for single sign-on flows. api_version: unstable api_name: storefront source_url: html: 'https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken' md: >- https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken.md --- # Customer​Access​Token object Requires `unauthenticated_read_customers` access scope. A unique authentication token that identifies a logged-in customer and authorizes modifications to the [`Customer`](https://shopify.dev/docs/api/storefront/unstable/objects/Customer) object. The token is required for customer-specific operations like updating profile information or managing addresses. Tokens have an expiration date and must be renewed using [`customerAccessTokenRenew`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenRenew) before they expire. Create tokens with [`customerAccessTokenCreate`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenCreate) using legacy customer account authentication (email and password), or with [`customerAccessTokenCreateWithMultipass`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenCreateWithMultipass) for single sign-on flows. ## Fields * access​Token [String!](https://shopify.dev/docs/api/storefront/unstable/scalars/String) non-null Token access required The customer’s access token. * expires​At [Date​Time!](https://shopify.dev/docs/api/storefront/unstable/scalars/DateTime) non-null Token access required The date and time when the customer access token expires. *** ## Map No referencing types *** ## Mutations * [customer​Access​Token​Create](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenCreate) mutation For legacy customer accounts only. Creates a [`CustomerAccessToken`](https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken) using the customer's email and password. The access token is required to read or modify the [`Customer`](https://shopify.dev/docs/api/storefront/unstable/objects/Customer) object, such as updating account information or managing addresses. The token has an expiration time. Use [`customerAccessTokenRenew`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenRenew) to extend the token before it expires, or create a new token if it's already expired. *** **Caution:** This mutation handles customer credentials. Always transmit requests over HTTPS and never log or expose the password. *** * input [Customer​Access​Token​Create​Input!](https://shopify.dev/docs/api/storefront/unstable/input-objects/CustomerAccessTokenCreateInput) required ### Arguments The fields used to create a customer access token. *** * [customer​Access​Token​Create​With​Multipass](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenCreateWithMultipass) mutation Creates a [`CustomerAccessToken`](https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken) using a [multipass token](https://shopify.dev/docs/api/multipass) instead of email and password. This enables single sign-on for customers who authenticate through an external system. If the customer doesn't exist in Shopify, then a new customer record is created automatically. If the customer exists but the record is disabled, then the customer record is re-enabled. *** **Caution:** Multipass tokens are only valid for 15 minutes and can only be used once. Generate tokens on-the-fly when needed rather than in advance. *** * multipass​Token [String!](https://shopify.dev/docs/api/storefront/unstable/scalars/String) required ### Arguments A valid [multipass token](https://shopify.dev/api/multipass) to be authenticated. *** * [customer​Access​Token​Renew](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenRenew) mutation Extends the validity of a [`CustomerAccessToken`](https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken) before it expires. The renewed token maintains authenticated access to customer operations. Renewal must happen before the token's [`expiresAt`](https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken#field-CustomerAccessToken.fields.expiresAt) time. If a token has already expired, then use [`customerAccessTokenCreate`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenCreate) to generate a new token with the customer's credentials. *** **Caution:** Store access tokens securely. Never store tokens in plain text or insecure locations, and avoid exposing them in URLs or logs. *** * customer​Access​Token [String!](https://shopify.dev/docs/api/storefront/unstable/scalars/String) required ### Arguments The access token used to identify the customer. *** * [customer​Activate](https://shopify.dev/docs/api/storefront/unstable/mutations/customerActivate) mutation Activates a customer account using an activation token received from the [`customerCreate`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerCreate) mutation. The customer sets their password during activation and receives a [`CustomerAccessToken`](https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken) for authenticated access. For a simpler approach that doesn't require parsing the activation URL, use [`customerActivateByUrl`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerActivateByUrl) instead. *** **Caution:** This mutation handles customer credentials. Always use HTTPS and never log or expose the password or access token. *** * id [ID!](https://shopify.dev/docs/api/storefront/unstable/scalars/ID) required ### Arguments Specifies the customer to activate. * input [Customer​Activate​Input!](https://shopify.dev/docs/api/storefront/unstable/input-objects/CustomerActivateInput) required The fields used to activate a customer. *** * [customer​Activate​By​Url](https://shopify.dev/docs/api/storefront/unstable/mutations/customerActivateByUrl) mutation Activates a customer account using the full activation URL from the [`customerCreate`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerCreate) mutation. This approach simplifies activation by accepting the complete URL directly, eliminating the need to parse it for the customer ID and activation token. Returns a [`CustomerAccessToken`](https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken) for authenticating subsequent requests. *** **Caution:** Store the returned access token securely. It grants access to the customer\'s account data. *** * activation​Url [URL!](https://shopify.dev/docs/api/storefront/unstable/scalars/URL) required ### Arguments The customer activation URL. * password [String!](https://shopify.dev/docs/api/storefront/unstable/scalars/String) required A new password set during activation. *** * [customer​Reset](https://shopify.dev/docs/api/storefront/unstable/mutations/customerReset) mutation Resets a customer's password using the reset token from a password recovery email. On success, returns the updated [`Customer`](https://shopify.dev/docs/api/storefront/unstable/objects/Customer) and a new [`CustomerAccessToken`](https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken) for immediate authentication. Use the [`customerRecover`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerRecover) mutation to send the password recovery email that provides the reset token. Alternatively, use [`customerResetByUrl`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerResetByUrl) if you have the full reset URL instead of the customer ID and token. *** **Caution:** This mutation handles sensitive customer credentials. Validate password requirements on the client before submission. *** * id [ID!](https://shopify.dev/docs/api/storefront/unstable/scalars/ID) required ### Arguments Specifies the customer to reset. * input [Customer​Reset​Input!](https://shopify.dev/docs/api/storefront/unstable/input-objects/CustomerResetInput) required The fields used to reset a customer’s password. *** * [customer​Reset​By​Url](https://shopify.dev/docs/api/storefront/unstable/mutations/customerResetByUrl) mutation Resets a customer's password using the reset URL from a password recovery email. The reset URL is generated by the [`customerRecover`](https://shopify.dev/docs/api/storefront/unstable/mutations/customerRecover) mutation. On success, returns the updated [`Customer`](https://shopify.dev/docs/api/storefront/unstable/objects/Customer) and a new [`CustomerAccessToken`](https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken) for immediate authentication. *** **Caution:** This mutation handles customer credentials. Ensure the new password is transmitted securely and never logged or exposed in client-side code. *** * reset​Url [URL!](https://shopify.dev/docs/api/storefront/unstable/scalars/URL) required ### Arguments The customer's reset password url. * password [String!](https://shopify.dev/docs/api/storefront/unstable/scalars/String) required New password that will be set as part of the reset password process. *** * [customer​Update](https://shopify.dev/docs/api/storefront/unstable/mutations/customerUpdate) mutation Updates a [customer's](https://shopify.dev/docs/api/storefront/unstable/objects/Customer) personal information such as name, password, and marketing preferences. Requires a valid [`CustomerAccessToken`](https://shopify.dev/docs/api/storefront/unstable/objects/CustomerAccessToken) to authenticate the customer making the update. If the customer's password is updated, then all previous access tokens become invalid. The mutation returns a new access token in the payload to maintain the customer's session. *** **Caution:** Password changes invalidate all existing access tokens. Ensure your app handles the new token returned in the response to avoid logging the customer out. *** * customer​Access​Token [String!](https://shopify.dev/docs/api/storefront/unstable/scalars/String) required ### Arguments The access token used to identify the customer. * customer [Customer​Update​Input!](https://shopify.dev/docs/api/storefront/unstable/input-objects/CustomerUpdateInput) required The customer object input. *** *** ## CustomerAccessToken Mutations ### Mutated by * [customer​Access​Token​Create](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenCreate) * [customer​Access​Token​Create​With​Multipass](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenCreateWithMultipass) * [customer​Access​Token​Renew](https://shopify.dev/docs/api/storefront/unstable/mutations/customerAccessTokenRenew) * [customer​Activate](https://shopify.dev/docs/api/storefront/unstable/mutations/customerActivate) * [customer​Activate​By​Url](https://shopify.dev/docs/api/storefront/unstable/mutations/customerActivateByUrl) * [customer​Reset](https://shopify.dev/docs/api/storefront/unstable/mutations/customerReset) * [customer​Reset​By​Url](https://shopify.dev/docs/api/storefront/unstable/mutations/customerResetByUrl) * [customer​Update](https://shopify.dev/docs/api/storefront/unstable/mutations/customerUpdate)