Can we call storefront api via our backend app from our frontend app without caring about rate limits? If so, what is the difference between public and authenticated access token in terms of rate limits, access scopes, and malicious access detection?
That’s right it’s now unlimited. Passing along the Shopify-Storefront-Buyer-IP header in an authenticated server-to-server request enables the platform to impose IP-level rate limiting as an added protection against a single user, such as a bot, consuming a high level of capacity.
> What does “authenticated server-to-server request” mean? How likely is our backend server regarded malicious? Is it effective for that protection to pass Shopify-Storefront-Buyer-IP from our server with the IP address received from our client app?
The Storefront API can now work with two different types of tokens. A public access token (to make requests from public contexts like a browser) or a private access token (to make requests from private or authenticated contexts, like a server).
Private access token should be treated as secret and not used on the client-side and it’s best practice to pass along the Shopify-Storefront-Buyer-IP header with these tokens (the IP of each user). More on the header + benefits here.
> If we use access token for custom app to call storefront api, is it authenticated request?
Is it unexpected usage to pass Shopify-Storefront-Buyer-IP with PUBLIC storefront access token from our backend server? Is our server more likely to be regarded as malicious than when using private(delegate) access token?
In case we leak our delegate access token, are there any other risks than impacts within the access scope? For example, if we set only unauthenticated_read_product_listings access scope to delegate access token, is the impact on leak equivalent to that in the case of the PUBLIC storefront access token with only unauthenticated_read_product_listings access scope?
Yep, that’s unexpected. I did some more research on this one - the purpose of Shopify-Storefront-Buyer-IP (for server-to-server requests) is to “enable the platform to impose IP-level rate limiting as an added protection against a single user, such as a bot, consuming a high level of capacity.”. It’s less about marking your requests to Shopify as safe and more about protecting (you and Shopify) against a single user/bot.
Seeking clarification on your second point, will get back to you!
Chatted with the SFAPI team regarding “In case we leak our delegate access token, are there any other risks than impacts within the access scope?”:
> There is no risk in that particular case. However, if we start introducing new access scopes that exposes more sensitive information that’s only available to the private token, then exposing the delegate access token publicly would be risky.
Further, regarding private/public benefits:
> In terms of motivation to use the private/delegate access token vs the public one, at the moment there doesn’t seem to be a significant difference to use one over the other but in the future, as we add more gated features or fields in the API, the token types will likely play a more critical role.