Resources on the commercetools platform provide information on changes and modifications in the following fields:
createdBy fields are only present on resources created after 2019-02-01. If you update a resource created before 2019-02-01, the representation will contain the
Creating a resource adds the
Update actions called by an API client update the
lastModifiedAt fields. When performing an update, the platform may verify if the updated resource differs from the current resource. If not, the update action might be skipped, and the
lastModifiedAt fields will not be updated.
API client updates are:
- Any client application calling the HTTP API.
- Any client application calling the GraphQL API.
- The Merchant Center.
Modifications done without using an API call or the Merchant Center do not update the
lastModifiedBy field. In some cases they update the
Example: Activating a Product Discount updates the price of a product. As this update is triggered by the platform, and not an API call or the Merchant Center, this price update is not tracked.
createdBy fields do not contain any personally identifiable information. However, they can contain the following as optional fields:
- External user IDs.
- References to Customer IDs.
- Identifier for Anonymous Sessions.
The fields themselves are JSON objects. See the CreatedBy and LastModifiedBy Common Type for more information.
API clients can use the
X-External-User-ID HTTP header to associate an external user ID with a modification. This can be useful for tracking changes made by users in an external service. For example, if you do not use the Merchant Center or the API authorization flows, using the
X-External-User-ID HTTP header can provide more information in client logging fields than might otherwise be available.
externalUserId field returns information passed in this header. The
externalUserId field is present on most representations which are passed to your front-end applications. Do not pass personal information, such as user email addresses to the
When using the
X-External-User-ID header, it is your responsibility to do one of the following:
- Encrypt any information passed to the header.
- To otherwise be GDPR and security compliant when using the header.