Commerce Modules

Edited Sep 5·Report Issue

How to Use Authentication Routes

In this document, you'll learn about the authentication routes and how to use them to create or log-in users.

Note: These routes are added by Medusa's application layer, not the Auth Module.

Types of Authentication Flows#

1. Basic Authentication Flow#

This authentication flow doesn't require validation with third-party services.

Example: How to register customer in storefront using basic authentication flow .

The steps are:

Diagram showcasing the basic authentication flow between the frontend and the Medusa application

Register the user with the Register Route.
Use the authentication token to create the user with their respective API route.
- For example, for customers you would use the Create Customer API route.
- For admin users, you accept an invite using the Accept Invite API route
Authenticate the user with the Auth Route.

After registration, you only use the Auth Route for subsequent authentication.

2. Third-Party Service Authenticate Flow#

This authentication flow authenticates the user with a third-party service, such as Google.

Example: How to authenticate customer with a third-party provider in the storefront. .

It requires the following steps:

Diagram showcasing the authentication flow between the frontend, Medusa application, and third-party service

Authenticate the user with the Auth Route.
The auth route returns a URL to authenticate with third-party service, such as login with Google. The frontend (such as a storefront), when it receives a location property in the response, must redirect to the returned location.
Once the authentication with the third-party service finishes, it redirects back to the frontend with a code query parameter. So, make sure your third-party service is configured to redirect to your frontend page after successful authentication.
The frontend sends a request to the Callback Route passing the code query parameter.
If the callback validation is successful, the frontend receives the authentication token.
Decode the received token in the frontend using tools like react-jwt.
- If the decoded data has an actor_id property, then the user is already registered. So, use this token for subsequent authenticated requests.
- If not, follow the rest of the steps.
The frontend uses the authentication token to create the user with their respective API route.
- For example, for customers you would use the Create Customer API route.
- For admin users, you accept an invite using the Accept Invite API route
The frontend sends a request to the Refresh Token Route to retrieve a new token with the user information populated.

Register Route#

The Medusa application defines an API route at /auth/{actor_type}/{provider}/register that creates an auth identity for an actor type, such as a customer. It returns a JWT token that you pass to an API route that creates the user.

Code
1curl -X POST http://localhost:9000/auth/{actor_type}/{providers}/register2-H 'Content-Type: application/json' \3--data-raw '{4  "email": "Whitney_Schultz@gmail.com"5  // ...6}'

Note: This API route is useful for providers like emailpass that uses custom logic to authenticate a user. For authentication providers that authenticate with third-party services, such as Google, use the Auth Route instead.

For example, if you're registering a customer, you:

Send a request to /auth/customer/emailpass/register to retrieve the registration JWT token.
Send a request to the Create Customer API route to create the customer, passing the JWT token in the header.

Path Parameters#

Its path parameters are:

{actor_type}: the actor type of the user you're authenticating. For example, customer.
{provider}: the auth provider to handle the authentication. For example, emailpass.

Request Body Parameters#

This route accepts in the request body the data that the specified authentication provider requires to handle authentication.

For example, the EmailPass provider requires an email and password fields in the request body.

Response Fields#

If the authentication is successful, you'll receive a token field in the response body object:

Code
1{2  "token": "..."3}

Use that token in the header of subsequent requests to send authenticated requests.

Auth Route#

The Medusa application defines an API route at /auth/{actor_type}/{provider} that authenticates a user of an actor type. It returns a JWT token that can be passed in the header of subsequent requests to send authenticated requests.

Code
1curl -X POST http://localhost:9000/auth/{actor_type}/{providers}2-H 'Content-Type: application/json' \3--data-raw '{4  "email": "Whitney_Schultz@gmail.com"5  // ...6}'

For example, if you're authenticating a customer, you send a request to /auth/customer/emailpass.

Path Parameters#

Its path parameters are:

{actor_type}: the actor type of the user you're authenticating. For example, customer.
{provider}: the auth provider to handle the authentication. For example, emailpass.

Request Body Parameters#

This route accepts in the request body the data that the specified authentication provider requires to handle authentication.

For example, the EmailPass provider requires an email and password fields in the request body.

Response Fields#

If the authentication is successful, you'll receive a token field in the response body object:

Code
1{2  "token": "..."3}

Use that token in the header of subsequent requests to send authenticated requests.

If the authentication requires more action with a third-party service, you'll receive a location property:

Code
1{2  "location": "https://..."3}

Redirect to that URL in the frontend to continue the authentication process with the third-party service.

Example: How to login Customers using the authentication route .

Validate Callback Route#

The Medusa application defines an API route at /auth/{actor_type}/{provider}/callback that's useful for validating the authentication callback or redirect from third-party services like Google.

Code
curl -X POST http://localhost:9000/auth/{actor_type}/{providers}/callback?code=123

Tip: Refer to the third-party authentication flow section to see how this route fits into the authentication flow.

Path Parameters#

Its path parameters are:

{actor_type}: the actor type of the user you're authenticating. For example, customer.
{provider}: the auth provider to handle the authentication. For example, google.

Query Parameters#

This route accepts a code query parameter, which is the code received from the third-party provider.

Response Fields#

If the authentication is successful, you'll receive a token field in the response body object:

Code
1{2  "token": "..."3}

In your frontend, decode the token using tools like react-jwt:

If the decoded data has an actor_id property, the user is already registered. So, use this token for subsequent authenticated requests.
If not, use the token in the header of a request that creates the user, such as the Create Customer API route.

Refresh Token Route#

The Medusa application defines an API route at /auth/token/refresh that's useful after authenticating a user with a third-party service to populate the user's token with their new information.

It requires the user's JWT token that they received from the authentication or callback routes.

Code
1curl -X POST http://localhost:9000/auth/token/refresh \2-H 'Authorization: Bearer {token}'

Response Fields#

If the token was refreshed successfully, you'll receive a token field in the response body object:

Code
1{2  "token": "..."3}

Use that token in the header of subsequent requests to send authenticated requests.

Was this page helpful?

Edit this page