# Customer Authentication

Custom storefronts use the authenticated Storefront GraphQL API to provide secure customer accounts and personalized shopping experiences.

## Overview

The Storefront GraphQL API supports customer authentication, allowing you to:

- Create customer accounts
- Authenticate customers (login/logout)
- Access customer-specific data (orders, addresses, preferences)
- Personalize the shopping experience
- Secure customer information

## Authentication Flow

### 1. Customer Registration

Customers can create accounts using the Storefront GraphQL API:

```graphql
mutation CreateCustomer($input: CustomerCreateInput!) {
  customerCreate(input: $input) {
    customer {
      id
      email
    }
    userErrors {
      field
      message
    }
  }
}
```

### 2. Customer Login

Authenticate customers and receive an access token:

```graphql
mutation CustomerAccessTokenCreate($input: CustomerAccessTokenCreateInput!) {
  customerAccessTokenCreate(input: $input) {
    customerAccessToken {
      accessToken
      expiresAt
    }
    userErrors {
      field
      message
    }
  }
}
```

### 3. Using the Access Token

Include the access token in subsequent API requests:

```graphql
query GetCustomer {
  customer {
    id
    email
    firstName
    lastName
  }
}
```

## Using the SDK

The Storefront SDK simplifies authentication:

```typescript
import { StorefrontClient } from '@finqu/storefront-sdk';

const client = new StorefrontClient({
  storeDomain: 'your-store.finqu.com',
  apiKey: process.env.FINQU_STOREFRONT_API_KEY, // Required: API key from Channel settings
});

// Register a new customer
const customer = await client.customer.create({
  email: 'customer@example.com',
  password: 'secure-password',
  firstName: 'John',
  lastName: 'Doe',
});

// Login
const session = await client.customer.login({
  email: 'customer@example.com',
  password: 'secure-password',
});

// Use authenticated requests
client.setAccessToken(session.accessToken);
const currentCustomer = await client.customer.getCurrent();
```

## Security Best Practices

- **Never store passwords** - Always use secure password hashing
- **Use HTTPS** - Always use HTTPS in production
- **Token expiration** - Implement token refresh logic
- **Secure storage** - Store tokens securely (httpOnly cookies recommended)
- **CSRF protection** - Implement CSRF protection for mutations

## Next Steps

- [Storefront GraphQL API Authentication](/apis-and-tools/storefront/authentication)
- [Storefront SDK Documentation](./storefront-sdk/overview)
- [Nexus Theme](./nexus-theme/overview)