bigcommerce · bc-terra · Oct 31, 2025 · Oct 24, 2025 · Oct 24, 2025 · Oct 24, 2025
diff --git a/docs/b2b-edition/authentication/hosted-auth.mdx b/docs/b2b-edition/authentication/hosted-auth.mdx
@@ -1,7 +1,12 @@
+---
+title: Authentication for hosted storefronts
+keywords: b2b edition, authentication, api token
+---
+
 # Authentication for hosted storefronts
 
 <Callout type="important">
-As of September 30, 2025, the B2B Edition API `authToken` will be deprecated and replaced by the standard BigCommerce API `X-Auth-Token`.
+As of September 30, 2025, the B2B Edition API `authToken` is deprecated and replaced by the standard BigCommerce API `X-Auth-Token` used together with a new header `X-Store-Hash`. This change only applies to Server-to-Server requests. Storefront requests remain unchanged.
 
 While `authToken` authentication is not expected to be fully sunset in the near future, it is advised to migrate to the new system as soon as possible to prevent disruption of functionality.
 
@@ -26,6 +31,10 @@ To create a token for server-to-server requests,
 3. Create a V3 Token with the B2B Edition scope set to `modify`.
 4. Save the relevant account keys for future reference.
 
+<Callout type="info">
+If you are a partner building an app intended for use with B2B Edition, you will need to ensure the B2B Edition scope is enabled before publishing the app.
+</Callout>
+
 For more information on creating and managing API accounts, refer to [API Accounts (Help Center)](https://support.bigcommerce.com/s/article/Store-API-Accounts).
 
 <Callout type="warning">
@@ -45,13 +54,17 @@ An `X-Auth-Token` used without an `X-Store-Hash` or with a mismatched hash will
 
 The `X-Auth-Token` structure is designed for long-term use. As such, they do not expire by default.
 
-User-specific tokens can be generated by the [Get a Server to Server Token](/b2b-edition/apis/rest-management/authentication#get-a-server-to-server-token) endpoint. Rather than relying on an existing token, it generates a server-to-server token by validating a backend user’s login credentials and the store hash. This is useful if you are building an integration which automatically generates a token for Store Owner or Administrator users.
+User-specific tokens can be generated by the **deprecated** [Get a Server to Server Token](/b2b-edition/apis/rest-management/authentication#get-a-server-to-server-token) endpoint. Rather than relying on an existing token, it generates an `authToken` by validating a backend user’s login credentials and the store hash.
+
+Server to server tokens can be configured to expire using this endpoint to set a fixed validity period using the `endAt` field in the request. For more information, see [Server-to-Server Authentication](/b2b-edition/apis/rest-management/authentication).
 
 <Callout type= "warning">
-   This endpoint does not support users with custom system user roles, even if those roles have API account creation permissions.
+   This endpoint generates an `authToken`, which is deprecated. In addition, it does not support users with custom system user roles, even if those roles have API account creation permissions.
 </Callout> 
 
-Server to server tokens can be configured to expire using this endpoint to set a fixed validity period using the `endAt` field in the request. For more information, see [Server-to-Server Authentication](/b2b-edition/apis/rest-management/authentication).
+<Callout type="info">
+If you are still using the B2B Edition specific `authToken`, the store hash is not needed as the token includes that information. Including `X-Store-Hash` with `authToken` will have unexpected results. Please migrate to the unified token structure as soon as possible to avoid loss of functionality.
+</Callout>
 
 ```js filename="Fetch request example" copy
 async function() {
@@ -77,7 +90,7 @@ async function() {
 }
 ```
 
-Tokens created via API can be invalidated as necessary using the [Delete Backend API Tokens](/b2b-edition/apis/rest-management/authentication#delete-backend-api-tokens) endpoint.
+Tokens created via API can be invalidated as necessary using the **deprecated** [Delete Backend API Tokens](/b2b-edition/apis/rest-management/authentication#delete-backend-api-tokens) endpoint.
 
 ## Storefront Tokens
 
@@ -286,4 +299,3 @@ async function() {
 * [Authentication](/b2b-edition/apis/rest-storefront/authentication) (Storefront)  
 * [Current Customer](/docs/storefront-auth/current-customer)  
 * [Authenticating requests to the GraphQL Storefront API](/docs/start/authentication/graphql-storefront)
-