For mutating requests, special response caching logic is used when provided, ensuring safe repetition of the request multiple times (idempotent), without worrying about side effects. While the key is used as a cache key, it's only part of the key. The remainder of the key is defined by the implementation and typically includes user information (IP address or user id), and may even include the hash of the request itself.

For authorized requests, the Authorization header must contain the JWT, typically obtained from operations like

The term Locale in our context refers to a combination of language and variant, such as British English vs Australian English. In this case, English is the language, while British English represents the locale. It's worth noting that other systems may use the term 'locale' more broadly, but in the context of this HTTP header, it only affects the language used.

A unique session identifier. This is used for analytics.

This header is used to specify a unique identifier for a device. This identifier aids in analytics and specific login procedures. Once a device has been recognized and explicitly marked as trustworthy by the user via the profile menu, supplying this header value allows bypassing Two-Factor Authentication, provided that it matches the trusted device and other certain conditions are met. This is exclusive to the Commerce API.

The "Content-Type" header should be set to "application/json" when interacting with the GraphQL API and the JSON API.

When you need to specify the sales channel used with storefront API, you should set "Sales-Channel-Id" header to the sales channel id of your choice. Make sure storefront API is enabled on the selected sales channel.