To be authenticated, you must pass an access token. This is done using the Authorization header. Which token you pass depends on your operating mode .

Authorization is primarily based on the mode you are operating in. There are four modes:

• NO_SESSION - Stateless and primarily used to populate your own catalog cache. Must be used server-side only.
• SESSION - Stateful and used to act on behalf of a shopper. Upon the first request using the base session token, you will receive a new session token to use in subsequent requests.
• LOGGED_IN - Sub-mode of SESSION, active for any logged-in customer.
• SHARED_SECRET - Sub-mode of SESSION. Used when you need to act on behalf of a shopper, but perform actions that the shopper themselves shouldn't access. This separate token can be found in your plugin configuration, and should be passed in the x-shared-secret header.

In addition, a few fields are protected by a required permission. These fields can only be accessed if the base session token was granted the specified permission. This does not apply to NO_SESSION mode.