Authentication

Exchange the bridge token for a scoped Store API session token.

Admin App Bridge is for host UI; the Store API is for data. To call the Store API from an embedded app, exchange the launch (bridge) token for a short-lived, least-privilege session token (tast_) and send it as a bearer token.

bridge.getSessionToken(options?)#

Exchanges the bridge token for a Store API session token scoped to what your UI needs. The result is cached per scope-set and auto-refreshed 60 seconds before expiry, and concurrent calls for the same scopes de-dupe — so you can call it freely before each batch of API requests.

Option

Type

Default

Meaning

scopes

string[]

[]

The scopes this token needs. Your app must have been granted them at install, or the call rejects naming the missing scope.

force

boolean

false

Bypass the cache and force a fresh exchange.

Resolves { token, scopes, expiresAt }. Use token as Authorization: Bearer <token>.

app.js javascript
const { token } = await bridge.getSessionToken({ scopes: ["read_products"] });

const res = await fetch("https://api-store.tringify.com/api/2025-01/products", {
  headers: { Authorization: "Bearer " + token },
});
const products = await res.json();

How the exchange works#

Under the hood, getSessionToken POSTs { bridge_token, scopes } to /api/2025-01/app-bridge/session/exchange. If the exchange fails because the bridge token lapsed (INVALID_TOKEN or HTTP 401), the SDK refreshes the bridge token once through the host and retries the exchange automatically. You normally never touch the bridge token directly.

bridge.refreshBridgeToken()#

Force a fresh launch (bridge) token from the host. Rarely needed directly — the SDK refreshes proactively before expiry and on a failed exchange — but exposed for apps that want to pre-warm.