fix: B2B-3725 add required b2b headers

[bc-victor]

What/Why?

After the release of PROJECT-6952, developers using a BC store-level oauth token with the new B2B Edition oauth scope need to send additional headers for the endpoint to respond properly.

Adding env variable BIGCOMMERCE_ACCESS_TOKEN to differentiate from the type of headers we need to send to the B2B APIs

Testing

Login success ( only place where we use B2B APIs)

With B2B token

Screen.Recording.2025-10-08.at.11.20.59.a.m.mov

Without BC token

Screen.Recording.2025-10-08.at.11.22.03.a.m.mov

Migration

No migrations

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0027b89

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
catalyst-b2b	Ready	Preview	Comment	Oct 16, 2025 7:24pm
catalyst-canary	Ready	Preview	Comment	Oct 16, 2025 7:24pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
catalyst	Ignored			Oct 16, 2025 7:24pm

[bc-sylvialin]

Hey @bc-victor , this is not a bug. It is intentional to use new headers.

See below articles:
https://developer.bigcommerce.com/b2b-edition/docs/authentication
https://developer.bigcommerce.com/resource-hub/authenticate-bigcommerce-and-b2b-edition-apis-with-one-api-account

[bc-micah]

I want to see the docs updated + including tests for both the old and new tokens - comments have details.

[bc-micah]

Did we update the docs that explain what a B2B_API_TOKEN is as well?

[bc-victor]

PR here: bigcommerce/docs#1104

[bc-micah]

Can we include full tests of both tokens (old b2b only s2s token + bigcommerce api account token)?

I would like to see the full flow tested for both scenarios and include showing / setting the env var + verifying the login is working appropriately (including opening the buyer portal as that shows the storefront is logged in as well as the b2b functions)

[bc-victor]

thanks for the review. After testing realized we can't just send authToken, X-Auth-Token and X-Store-Hash together, we need to know which token is being used. I added a new variable BIGCOMMERCE_TOKEN_WITH_B2B_SCOPE to differntiatte from scopes

[bc-victor]

maybe lets remove this entirely? also from the docs

[icatalina]

can we do it directly?

maybe add a check, if B2B_API_TOKEN is present, throw and show an error message?

z.object({
  B2B_API_TOKEN: z.undefined({ message: 'This is deprecated in favour or B2B_API_TOKEN'}).optional(),
  BIGCOMMERCE_TOKEN: z.string()
})

[icatalina]

pre approving, I think I prefer a more generic token name and removing the old one. What do you all think?

[icatalina]

can we do it directly?

maybe add a check, if B2B_API_TOKEN is present, throw and show an error message?

z.object({
  B2B_API_TOKEN: z.undefined({ message: 'This is deprecated in favour or B2B_API_TOKEN'}).optional(),
  BIGCOMMERCE_TOKEN: z.string()
})

[icatalina]

Suggested change

	BIGCOMMERCE_TOKEN_WITH_B2B_SCOPE=
	BIGCOMMERCE_TOKEN=

if we require new scopes in the future, are we gonna rename the variable to:

BIGCOMMERCE_TOKEN_WITH_B2B_AND_SOME_OTHER_SCOPE=

?

[bc-victor]

Thats a good point, I'll add this

[CNanninga]

"With x scope" seems like an awkward naming convention in general to me.

Just for reference, the optional BigCommerce REST token that can be included in the environment config for, e.g., supporting the customer groups lookup in Makeswift, is called BIGCOMMERCE_ACCESS_TOKEN. We might want to conform the naming convention here to more closely match that.

Or is it possibly appropriate to just use BIGCOMMERCE_ACCESS_TOKEN and give clear instructions that the token provided there needs to have the B2B scope? I think that might make more sense than having separate BigCommerce REST tokens for separate operations.

[bc-micah]

If it's already being used in makeswift, let's stick to the existing name to reduce the number of things the user has to setup.

We can then just add that B2B scope is required in the setup docs.

[CNanninga]

"With x scope" seems like an awkward naming convention in general to me.

Just for reference, the optional BigCommerce REST token that can be included in the environment config for, e.g., supporting the customer groups lookup in Makeswift, is called BIGCOMMERCE_ACCESS_TOKEN. We might want to conform the naming convention here to more closely match that.

Or is it possibly appropriate to just use BIGCOMMERCE_ACCESS_TOKEN and give clear instructions that the token provided there needs to have the B2B scope? I think that might make more sense than having separate BigCommerce REST tokens for separate operations.

[bc-micah]

Suggested change

	if (B2B_API_TOKEN) {
	headers['authToken'] = B2B_API_TOKEN;
	}
	if (BIGCOMMERCE_TOKEN_WITH_B2B_SCOPE) {
	headers['X-Auth-Token'] = BIGCOMMERCE_TOKEN_WITH_B2B_SCOPE;
	headers['X-Store-Hash'] = BIGCOMMERCE_STORE_HASH;
	}
	if (BIGCOMMERCE_TOKEN_WITH_B2B_SCOPE) {
	headers['X-Auth-Token'] = BIGCOMMERCE_TOKEN_WITH_B2B_SCOPE;
	headers['X-Store-Hash'] = BIGCOMMERCE_STORE_HASH;
	} else if (B2B_API_TOKEN) {
	headers['authToken'] = B2B_API_TOKEN;
	}

They both should not be used at the same time, we should prefer the BIGCOMMERCE_TOKEN if possible.

[bc-micah]

If it's already being used in makeswift, let's stick to the existing name to reduce the number of things the user has to setup.

We can then just add that B2B scope is required in the setup docs.

[bc-victor]

Updated this PR to use BIGCOMMERCE_ACCESS_TOKEN as defined here in the Makeswift integration.

Updating docs in this PR

[bc-micah]

This is only using the new BIGCOMMERCE_ACCESS_TOKEN, will break when existing customers upgrade to this version.

[icatalina]

💅 Not sure if we need the describe here.

We might want to define a union in this case:

z.union([
  z.object({
    BIGCOMMERCE_CHANNEL_ID: z.string(),
    B2B_API_TOKEN: z.string(),
  }),
  z.object({
    BIGCOMMERCE_CHANNEL_ID: z.string(),
    BIGCOMMERCE_STORE_HASH: z.string(),
    BIGCOMMERCE_ACCESS_TOKEN: z.string(),
  }),
])

The current approach makes BIGCOMMERCE_STORE_HASH mandatory, even for old consumers where it is not needed, and makes both B2B_API_TOKEN and BIGCOMMERCE_ACCESS_TOKEN which mean they can potentially be both missing.