Customer accounts
Storefront customers have brand-scoped identities that are separate from InBlack operator accounts. The SDK supports passwordless email and optional Google sign-in, then uses a customer bearer token for account routes.
Passwordless sign-in
Start a challenge:
const challenge = await commerce.auth.challenge("alex@example.com");The service sends a magic link and one-time code according to the brand’s auth settings. Verify either the link token or the challenge ID plus code:
const session = await commerce.auth.verify({ challenge_id: challenge.challenge_id, otp: enteredCode,});
commerce.setToken(session.access_token);Challenges expire after 15 minutes. Challenge creation deliberately returns a neutral success shape when its internal anti-abuse limit is reached, which reduces account enumeration signals.
Google sign-in
Google OAuth is optional per brand and also requires provider configuration in the service.
const start = await commerce.auth.googleStart(returnUrl);window.location.assign(start.authorize_url);The signed state expires after 15 minutes. Browser redirects return through GET /storefront/v1/auth/oauth/google/callback (the owned /customer-auth/v1/oauth/google/callback route is also registered). An application handling the authorization code itself can call:
const session = await commerce.auth.googleCallback({ code, state });Apple and Facebook sign-in are not implemented in the current storefront auth service.
Session lifetime
The default access-token lifetime is 60 minutes and the default refresh-token lifetime is 30 days. Both are configurable per brand through customer auth settings, so clients should use the returned expires_at instead of assuming the defaults.
const refreshed = await commerce.auth.refresh(session.refresh_token);commerce.setToken(refreshed.access_token);Refresh rotates the session credentials. Replace both stored tokens with the returned pair. Use auth.logout(refresh_token) to revoke one session or auth.logoutAll() with an authenticated customer to revoke all sessions.
Account surface
After setToken(), the SDK supports:
account.get()andaccount.update()for profile data.- Account order list, detail, and reorder.
- Address list, add, update, delete, and default selection.
- Wishlist methods and B2B memberships.
- The
portalnamespace for account projections and supported portal capabilities.
The server validates that every account resource belongs to the authenticated customer and brand. A Storefront SDK key alone cannot read customer account data.
Storage guidance
Keep refresh tokens out of JavaScript-readable storage when your architecture can use a secure server session. Clear the SDK token immediately on logout or an unrecoverable refresh failure. Do not log access tokens, refresh tokens, one-time codes, or OAuth authorization codes.