We’re updating Storefront GraphQL authentication to better align token types with how they’re used in modern headless/server-rendered storefronts.

If you use Storefront tokens for server-side Storefront GraphQL calls (SSR, middleware, proxies, or any backend service), you need to migrate to private tokens.

  • Storefront tokens created after June 30, 2026 will not support server-to-server requests

  • Storefront tokens created on or before June 30, 2026 will continue supporting server-to-server requests until March 31, 2027

Storefront tokens used for browser-based storefronts with allowed_cors_origins are unaffected.

You can check out more in the relevant documentation here.