Skip to main content
The Store API uses three authentication mechanisms depending on the use case: API keys for all requests, JWT tokens for authenticated customers, and order tokens for guest checkout.

API Key (Required)

Every request to the Store API requires a publishable API key. This key identifies your storefront and is safe to use in client-side code. Pass the key via the X-Spree-Api-Key header:
Publishable API keys are prefixed with pk_. You can create them in the Spree Admin under Settings > API Keys or via the Spree CLI:
If you omit the API key, the API returns a 401 Unauthorized error:

JWT Token (Authenticated Customer)

For actions that require a logged-in customer (viewing orders, managing addresses, saved payment methods), use a JWT bearer token in addition to the API key.

Login

Register

Token Refresh

JWT tokens expire after 1 hour by default. Use the refresh endpoint to get a new token:

Order Token (Guest Checkout)

For guest checkout flows, use the order token returned when creating a cart. This allows unauthenticated users to manage their cart and complete checkout. Pass the token via the x-spree-token header:

Associating a Guest Cart

After a guest user logs in, you can associate their guest cart with their account:

Authentication Summary

MethodHeaderUse Case
API KeyX-Spree-Api-Key: pk_xxxAll requests (required)
JWT TokenAuthorization: Bearer <token>Authenticated customer actions
Order TokenX-Spree-Token: <token>Guest cart and checkout