Impersonate Customer

Endpoint	Method
`/api/admin/customers/{customerId}/impersonate`	POST

Token expires in 1 hour

Token name = "admin-impersonate:{adminId}" — searchable for audit.
Abilities = ['*', 'impersonated-by-admin:{adminId}'].
expires_at = now() + 1 hour — non-negotiable; aligns with short-lived assumed-identity windows.
The plaintext token is returned once in the response body. There is no way to retrieve it again — store it immediately.
Issuance is audit-logged via admin.customer.impersonate with {admin_id, customer_id, token_id, expires_at}.

Use the returned token as a regular customer Sanctum Bearer against /api/shop/* endpoints.

Permission: customers.customers.edit.

Locales

Queries

Category

Queries

Theme Customisations

CMS Pages

Queries

Product

Queries

Product Review

Queries

Mutations

Attribute

Queries

Channel

Queries

Currency

Queries

Country

Customer

Queries

Mutations

Cart

Queries

Mutations

Checkout

Queries

Mutations

Wishlist

Queries

Mutations

Compare

Queries

Mutations

Contact Us

Mutations

Admin Profile

Catalog

Products

Categories

Attributes

Attribute Families

CMS

Queries

Mutations

Sales

Orders

Carts

Invoices (Datagrid)

Shipments (Datagrid)

Refunds (Datagrid)

Transactions

Bookings

Customers

Addresses

Notes

Impersonate

Customer Groups

Reviews

GDPR Requests

Create-Order Helpers

Settings

Locales

Currencies

Exchange Rates

Inventory Sources

Channels

Admin Users

Roles

Themes

Tax Categories

Tax Rates

Data Transfer Imports

Dashboard

Reporting

Marketing

Promotions

Communications

Search SEO

Configuration

Impersonate Customer