Menu

Login Customer in Storefront

In this guide, you'll learn about the two ways to login a customer in your storefront.

Note: This guide covers login using email and password. For authentication with third-party providers, refer to the Third-Party Login guide.

Login Customer Methods#

There are two ways to login a customer in your storefront:

  1. Using a JWT token. This JWT token is obtained from the /auth/customer/emailpass API route and is used as a bearer token in the authorization header of all requests.
  2. Using a cookie session. This method uses the /auth/session API route to set the authenticated session ID in the cookies.

The JS SDK simplifies the login approach in a single auth.login method. The upcoming sections explain the authentication approach whether you're using the JS SDK or not.

Which Authentication Method Should You Use?#

The authentication method you choose depends on your use case and the type of storefront you're building.

Refer to the JS SDK Authentication guide to learn more about the differences between JWT and session authentication and which one is best for your use case.

JS SDK Authentication Configuration#

Before implementing the login flow, you need to configure in the JS SDK the authentication method you're using in your storefront. This defines how the JS SDK will handle sending authenticated requests after the customer is authenticated.

For example, add the following configuration to your JS SDK initialization:

Tip: Learn how to install and configure the JS SDK in the JS SDK documentation.

The JS SDK will now pass the JWT token or the session ID cookie in the authorization header of all subsequent requests based on the authentication method you've configured.

Refer to the JS SDK Authentication guide for more information about these configurations, as well as other authentication configurations.

Tip: By default, when you choose the jwt method, the JWT token is stored in the browser's localStorage. However, you can change how the token is stored, which is useful in environments where localStorage is not available. For example, in React Native.To learn how to change the storage method with an example for a React Native storefront, refer to the JS SDK Authentication guide.

Authentication with JS SDK#

The JS SDK provides an auth.login method that handles all authentication steps based on the configured authentication method. Then, all subsequent requests will have the necessary authentication headers or cookies.

For example, to implement the login flow in your storefront with the JS SDK:

In the example above, you:

  1. Create a handleLogin function that logs in a customer.
  2. In the function, you log in the customer using the sdk.auth.login method.
    • If an error occurs, show an alert and exit execution.
    • The method may return an object with a location property. This occurs when using third-party authentication providers. Learn more about implementing third-party authentication in the Third-Party Login guide.
    • Otherwise, the authentication was successful.
  3. All subsequent requests are now authenticated. As an example, you send a request to obtain the logged-in customer's details.

Authentication without JS SDK#

If you're not using the JS SDK, the next sections cover the general flow for authenticating a customer in your storefront for both methods.

1. Using a JWT Token#

The first authentication approach is to pass an authenticated JWT token in the authorization header of all requests. You can do that by:

  1. Retrieving a JWT token from the /auth/customer/emailpass Authenticate Customer API route:
Code
1curl -X POST '{backend_url}/auth/customer/emailpass' \2-H 'Content-Type: application/json' \3--data-raw '{4  "email": "customer@gmail.com",5  "password": "supersecret"6}'
  1. Passing the token in the authorization header of all subsequent requests, as explained in the API reference:
Terminal
Authorization: Bearer {jwt_token}

You can store the obtained JWT token based on your use case. For example, you can store it in the browser's localStorage or sessionStorage. This way, you can retrieve it later and pass it in the authorization header of all requests.

2. Using a Cookie Session#

The second authentication approach is to authenticate the customer with a cookie session. You do that by:

  1. Retrieving a JWT token from the /auth/customer/emailpass Authenticate Customer API route:
Code
1curl -X POST '{backend_url}/auth/customer/emailpass' \2-H 'Content-Type: application/json' \3--data-raw '{4  "email": "customer@gmail.com",5  "password": "supersecret"6}'
  1. Sending a request to the /auth/session Authentication Session API route passing in the authorization header the token as a Bearer token. This sets the authenticated session ID in the cookies:
Code
1curl -X POST '{backend_url}/auth/session' \2-H 'Authorization: Bearer {jwt_token}'
  1. Passing the cookie session ID in all subsequent requests:
Was this page helpful?
Ask Anything
FAQ
What is Medusa?
How can I create a module?
How can I create a data model?
How do I create a workflow?
How can I extend a data model in the Product Module?
Recipes
How do I build a marketplace with Medusa?
How do I build digital products with Medusa?
How do I build subscription-based purchases with Medusa?
What other recipes are available in the Medusa documentation?
Chat is cleared on refresh
Line break