Using the public storefront access token in Next.js api routes?

ogb
Visitor
1 0 0

I built a headless Storefront recently with Next.js, using "X-Shopify-Storefront-Access-Token" to authenticate the requests. I didn't realize that this token was public until today when I looked into the docs more in detail, hence I created API routes (Next.js) for each action in order to protect the token from being exposed on the client side.....

 

My question is now, will the Storefront API be clever enough to see that in fact each request from the serverless functions is coming from different buyers ip:s? Or will Storefront see these requests as coming from a single ip address? I guess in that case the app might hit the rate limiter quickly when concurrent requests from various buyers happen...

 

Which leads me to the main question, do I need to switch over to a private token? Or can I continue using the public token in a serverless env? Many thanks in advance!

Reply 1 (1)