How to Use Authentication Routes
In this document, you'll learn about the authentication routes and how to use them to create or log-in users.
Types of Authentication Flows#
1. Basic Authentication Flow#
This authentication flow doesn't require validation with third-party services.
The steps are:
- Register the user with the Register Route.
- Use the authentication token to create the user with their respective API route.
- For example, for customers you would use the Create Customer API route.
- For admin users, you accept an invite using the Accept Invite API route
- Authenticate the user with the Auth Route.
After registration, you only use the Auth Route for subsequent authentication.
2. Third-Party Service Authenticate Flow#
This authentication flow authenticates the user with a third-party service, such as Google.
It requires the following steps:
- Authenticate the user with the Auth Route.
- The auth route returns a URL to authenticate with third-party service, such as login with Google. The frontend (such as a storefront), when it receives a
location
property in the response, must redirect to the returned location. - Once the authentication with the third-party service finishes, it redirects back to the frontend with a
code
query parameter. So, make sure your third-party service is configured to redirect to your frontend page after successful authentication. - The frontend sends a request to the Callback Route passing the
code
query parameter. - If the callback validation is successful, the frontend receives the authentication token.
- Decode the received token in the frontend using tools like react-jwt.
- If the decoded data has an
actor_id
property, then the user is already registered. So, use this token for subsequent authenticated requests. - If not, follow the rest of the steps.
- If the decoded data has an
- The frontend uses the authentication token to create the user with their respective API route.
- For example, for customers you would use the Create Customer API route.
- For admin users, you accept an invite using the Accept Invite API route
- The frontend sends a request to the Refresh Token Route to retrieve a new token with the user information populated.
Register Route#
The Medusa application defines an API route at /auth/{actor_type}/{provider}/register
that creates an auth identity for an actor type, such as a customer
. It returns a JWT token that you pass to an API route that creates the user.
For example, if you're registering a customer, you:
- Send a request to
/auth/customer/emailpass/register
to retrieve the registration JWT token. - Send a request to the Create Customer API route to create the customer, passing the JWT token in the header.
Path Parameters#
Its path parameters are:
{actor_type}
: the actor type of the user you're authenticating. For example,customer
.{provider}
: the auth provider to handle the authentication. For example,emailpass
.
Request Body Parameters#
This route accepts in the request body the data that the specified authentication provider requires to handle authentication.
For example, the EmailPass provider requires an email
and password
fields in the request body.
Response Fields#
If the authentication is successful, you'll receive a token
field in the response body object:
Use that token in the header of subsequent requests to send authenticated requests.
Auth Route#
The Medusa application defines an API route at /auth/{actor_type}/{provider}
that authenticates a user of an actor type. It returns a JWT token that can be passed in the header of subsequent requests to send authenticated requests.
For example, if you're authenticating a customer, you send a request to /auth/customer/emailpass
.
Path Parameters#
Its path parameters are:
{actor_type}
: the actor type of the user you're authenticating. For example,customer
.{provider}
: the auth provider to handle the authentication. For example,emailpass
.
Request Body Parameters#
This route accepts in the request body the data that the specified authentication provider requires to handle authentication.
For example, the EmailPass provider requires an email
and password
fields in the request body.
Response Fields#
If the authentication is successful, you'll receive a token
field in the response body object:
Use that token in the header of subsequent requests to send authenticated requests.
If the authentication requires more action with a third-party service, you'll receive a location
property:
Redirect to that URL in the frontend to continue the authentication process with the third-party service.
Validate Callback Route#
The Medusa application defines an API route at /auth/{actor_type}/{provider}/callback
that's useful for validating the authentication callback or redirect from third-party services like Google.
Path Parameters#
Its path parameters are:
{actor_type}
: the actor type of the user you're authenticating. For example,customer
.{provider}
: the auth provider to handle the authentication. For example,google
.
Query Parameters#
This route accepts a code
query parameter, which is the code received from the third-party provider.
Response Fields#
If the authentication is successful, you'll receive a token
field in the response body object:
In your frontend, decode the token using tools like react-jwt:
- If the decoded data has an
actor_id
property, the user is already registered. So, use this token for subsequent authenticated requests. - If not, use the token in the header of a request that creates the user, such as the Create Customer API route.
Refresh Token Route#
The Medusa application defines an API route at /auth/token/refresh
that's useful after authenticating a user with a third-party service to populate the user's token with their new information.
It requires the user's JWT token that they received from the authentication or callback routes.
Response Fields#
If the token was refreshed successfully, you'll receive a token
field in the response body object:
Use that token in the header of subsequent requests to send authenticated requests.