Skip to Content
Build with FinquStorefrontAuthentication

Customer Authentication

Custom storefronts use the authenticated Storefront GraphQL API to provide secure customer accounts and personalized shopping experiences.

Overview

The Storefront GraphQL API supports customer authentication, allowing you to:

  • Create customer accounts
  • Authenticate customers (login/logout)
  • Access customer-specific data (orders, addresses, preferences)
  • Personalize the shopping experience
  • Secure customer information

Authentication Flow

1. Customer Registration

Customers can create accounts using the Storefront GraphQL API:

mutation CreateCustomer($input: CustomerCreateInput!) {
  customerCreate(input: $input) {
    customer {
      id
      email
    }
    userErrors {
      field
      message
    }
  }
}

2. Customer Login

Authenticate customers and receive an access token:

mutation CustomerAccessTokenCreate($input: CustomerAccessTokenCreateInput!) {
  customerAccessTokenCreate(input: $input) {
    customerAccessToken {
      accessToken
      expiresAt
    }
    userErrors {
      field
      message
    }
  }
}

3. Using the Access Token

Include the access token in subsequent API requests:

query GetCustomer {
  customer {
    id
    email
    firstName
    lastName
  }
}

Using the SDK

The Storefront SDK simplifies authentication:

import { StorefrontClient } from '@finqu/storefront-sdk';
 
const client = new StorefrontClient({
  storeDomain: 'your-store.finqu.com',
  apiKey: process.env.FINQU_STOREFRONT_API_KEY, // Required: API key from Channel settings
});
 
// Register a new customer
const customer = await client.customer.create({
  email: 'customer@example.com',
  password: 'secure-password',
  firstName: 'John',
  lastName: 'Doe',
});
 
// Login
const session = await client.customer.login({
  email: 'customer@example.com',
  password: 'secure-password',
});
 
// Use authenticated requests
client.setAccessToken(session.accessToken);
const currentCustomer = await client.customer.getCurrent();

Security Best Practices

  • Never store passwords - Always use secure password hashing
  • Use HTTPS - Always use HTTPS in production
  • Token expiration - Implement token refresh logic
  • Secure storage - Store tokens securely (httpOnly cookies recommended)
  • CSRF protection - Implement CSRF protection for mutations

Next Steps