orcaqubits/bc-api-graphql
bigcommerce-commerce/skills/bc-api-graphql/SKILL.md
Use the BigCommerce GraphQL Storefront API — queries, mutations, authentication tokens, customer impersonation, cart operations, and schema exploration. Use when building storefront features that need client-side data fetching.
$ install --global
skillsauthnpx skillsauth add orcaqubits/agentic-commerce-claude-plugins bc-api-graphqlInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 6:42 AM204.7s1 file scanned
SKILL.md
- name:
- bc-api-graphql
- description:
- Use the BigCommerce GraphQL Storefront API — queries, mutations, authentication tokens, customer impersonation, cart operations, and schema exploration. Use when building storefront features that need client-side data fetching.
- allowed-tools:
- Read, Write, Edit, Bash, Grep, Glob, WebSearch, WebFetch
BigCommerce GraphQL Storefront API
Before writing code
Fetch live docs:
- Fetch
https://developer.bigcommerce.com/docs/storefront/graphqlfor GraphQL overview - Web-search
site:developer.bigcommerce.com graphql storefront api referencefor schema reference - Web-search
bigcommerce graphql storefront tokenfor token creation
Architecture
What It Is
A client-side GraphQL API designed for storefront applications:
- Endpoint:
https://{store_domain}/graphql - Designed for browser/frontend usage (not server-to-server)
- Fetch exactly the data you need in a single request
- Supports: products, categories, cart, checkout, customer, site settings, content
When to Use
- Stencil themes — client-side AJAX calls for dynamic content
- Headless storefronts — Catalyst/Next.js primary data source
- Single-page applications — React, Vue, Angular storefronts
- Progressive enhancement — add dynamic features to server-rendered pages
GraphQL vs REST
| Feature | GraphQL Storefront | REST API | |---------|-------------------|----------| | Audience | Frontend/browser | Backend/server | | Auth | Storefront token | API account token | | Data shape | Client-defined | Server-defined | | Rate limits | Complexity-based | Request count | | Mutations | Cart, checkout, login | Full CRUD |
Authentication
Storefront API Token
Create via REST API:
POST /v3/storefront/api-token
{
"channel_id": 1,
"expires_at": 1893456000,
"allowed_cors_origins": ["https://my-storefront.com"]
}
Returns a token to use as Authorization: Bearer {token} header.
Customer Impersonation Token
For accessing customer-specific data (addresses, orders, wishlists):
POST /v3/storefront/api-token-customer-impersonation
{
"channel_id": 1,
"expires_at": 1893456000
}
Combine with X-Bc-Customer-Id header for customer-specific queries.
Stencil Theme Context
In Stencil themes, the GraphQL token is available automatically:
- Use
{{inject 'graphQLToken' settings.storefront_api.token}}in templates - Or fetch from
/api/storefront/graphql-tokenendpoint
Key Queries
Products
query Products($first: Int, $after: String) {
site {
products(first: $first, after: $after) {
edges {
node {
entityId
name
path
prices {
price { value currencyCode }
salePrice { value currencyCode }
}
defaultImage {
url(width: 500)
altText
}
}
}
pageInfo { hasNextPage endCursor }
}
}
}
Single Product
query Product($productId: Int!) {
site {
product(entityId: $productId) {
entityId
name
description
prices { price { value currencyCode } }
images { edges { node { url(width: 800) altText } } }
productOptions { edges { node { entityId displayName } } }
variants { edges { node { entityId sku } } }
}
}
}
Categories
query Categories {
site {
categoryTree {
entityId
name
path
children { entityId name path }
}
}
}
Cart
query Cart {
site {
cart {
entityId
lineItems {
physicalItems {
entityId
name
quantity
listPrice { value currencyCode }
}
}
amount { value currencyCode }
}
}
}
Customer (Requires Impersonation Token)
query Customer {
customer {
entityId
firstName
lastName
email
addresses { edges { node { address1 city } } }
}
}
Mutations
Cart Operations
mutation AddToCart($cartId: String!, $lineItems: [CartLineItemInput!]!) {
cart {
addCartLineItems(input: {
cartEntityId: $cartId
data: { lineItems: $lineItems }
}) {
cart { entityId }
}
}
}
Create Cart
mutation CreateCart($lineItems: [CartLineItemInput!]!) {
cart {
createCart(input: { lineItems: $lineItems }) {
cart { entityId }
}
}
}
Customer Login
mutation Login($email: String!, $password: String!) {
login(email: $email, password: $password) {
result
customer { entityId firstName }
}
}
Pagination
Uses Relay-style cursor pagination:
first: N— number of itemsafter: "cursor"— cursor frompageInfo.endCursorpageInfo { hasNextPage endCursor }— pagination metadata
Complexity Limits
GraphQL queries have complexity limits instead of request-count rate limits:
- Each field has a cost
- Nested connections multiply costs
- Use
firstarguments to limit results - Avoid deeply nested queries
Best Practices
- Request only the fields you need — avoid
SELECT *mentality - Use pagination (
first+after) for large collections - Cache responses where appropriate (products, categories change infrequently)
- Use customer impersonation tokens only when customer-specific data is needed
- Set appropriate token expiration (not too long)
- Restrict CORS origins for storefront tokens
- Use fragments for reusable field sets
- Handle errors in the
errorsarray of the GraphQL response
Fetch the BigCommerce GraphQL Storefront API reference for the current schema, available queries/mutations, and authentication patterns before implementing.
Related Skills
orcaqubits/spree-headless-storefront
development
VerifiedTrustedCommunity
Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-extensions
tools
VerifiedTrustedCommunity
Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-events-webhooks
development
VerifiedTrustedCommunity
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-dev-patterns
tools
VerifiedTrustedCommunity
Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.
27SKILL.mdUpdated May 14, 2026