Resources on the commercetools platform provide information on changes and modifications in the following fields:
createdBy fields are only present on resources created after 01/02/2019. If you update a resource created before 01/02/2019, the representation will contain the
Creating a resource adds the
Any update action called by an API client updates the
lastModifiedAt fields. These include modifications using the following:
- Any client application calling the HTTP API.
- Any client application calling the GraphQL API.
- The Merchant Center.
Internal platform services do not update the
lastModifiedBy field. In some cases they update the
lastModifiedAt field. These include the following:
- Modifications not using an API call or the Merchant Center. For example, when activating a Product Discount, product price updates are not tracked.
- Modifications using the Admin Center.
Information in the fields
createdBy fields do not contain any personally identifiable information. However, they can contain the following as optional fields:
- External user IDs.
- References to Customer IDs.
- Identifier for Anonymous Sessions.
The fields themselves are JSON objects. See the CreatedBy and LastModifiedBy Common Type for more information.
External user IDs
API clients can use the
X-External-User-ID HTTP header to associate an external user ID with a modification. This can be useful for tracking changes made by users in an external service. For example, if you do not use the Merchant Center or our API authorization flows, using the
X-External-User-ID HTTP header can provide more information in client logging fields than might otherwise be available.
externalUserId field returns information passed in this header. The
externalUserId field is present on most representations which are passed to your front-end applications. Do not pass personal information, such as user email addresses to the
When using the
X-External-User-ID header, it is your responsibility to do one of the following:
- Encrypt any information passed to the header.
- To otherwise be GDPR and security compliant when using the header.