As asked
Shopify has two main APIs: the Admin API (REST and GraphQL) and the Storefront API (GraphQL only). Walk me through the key differences in authentication, data access, rate limits, and use cases. When would you specifically choose the Storefront API, and what cannot you do with it that you can do with the Admin API?
Sample answer outline
A strong answer covers: the Storefront API uses a public token safe to embed in client-side code, exposes only customer-facing data (products, collections, cart, checkout), and is designed for headless storefronts and mobile apps. The Admin API uses a private access token that must stay server-side, can access all merchant data including orders, customers, and financials, and must not be exposed to browsers. Key Storefront limitations: cannot access order history without a customer token, cannot modify fulfillment, cannot access raw metafields that are private. Rate limits are also different: Storefront has per-IP limits, Admin has per-shop bucket limits.
Expect these follow-ups
- A headless storefront needs to show a logged-in customer their order history. Which API do you use and how do you authenticate?
- You are building a mobile app for merchants to manage their shop. Which API do you use and how do you keep the token secure on a mobile device?