Skip to content
AM

Customer accounts

Storefront customers have brand-scoped identities that are separate from InBlack operator accounts. The SDK supports passwordless email and optional Google sign-in, then uses a customer bearer token for account routes.

Passwordless sign-in

Start a challenge:

const challenge = await commerce.auth.challenge("alex@example.com");

The service sends a magic link and one-time code according to the brand’s auth settings. Verify either the link token or the challenge ID plus code:

const session = await commerce.auth.verify({
challenge_id: challenge.challenge_id,
otp: enteredCode,
});
commerce.setToken(session.access_token);

Challenges expire after 15 minutes. Challenge creation deliberately returns a neutral success shape when its internal anti-abuse limit is reached, which reduces account enumeration signals.

Google sign-in

Google OAuth is optional per brand and also requires provider configuration in the service.

const start = await commerce.auth.googleStart(returnUrl);
window.location.assign(start.authorize_url);

The signed state expires after 15 minutes. Browser redirects return through GET /storefront/v1/auth/oauth/google/callback (the owned /customer-auth/v1/oauth/google/callback route is also registered). An application handling the authorization code itself can call:

const session = await commerce.auth.googleCallback({ code, state });

Apple and Facebook sign-in are not implemented in the current storefront auth service.

Session lifetime

The default access-token lifetime is 60 minutes and the default refresh-token lifetime is 30 days. Both are configurable per brand through customer auth settings, so clients should use the returned expires_at instead of assuming the defaults.

const refreshed = await commerce.auth.refresh(session.refresh_token);
commerce.setToken(refreshed.access_token);

Refresh rotates the session credentials. Replace both stored tokens with the returned pair. Use auth.logout(refresh_token) to revoke one session or auth.logoutAll() with an authenticated customer to revoke all sessions.

Account surface

After setToken(), the SDK supports:

  • account.get() and account.update() for profile data.
  • Account order list, detail, and reorder.
  • Address list, add, update, delete, and default selection.
  • Wishlist methods and B2B memberships.
  • The portal namespace for account projections and supported portal capabilities.

The server validates that every account resource belongs to the authenticated customer and brand. A Storefront SDK key alone cannot read customer account data.

Storage guidance

Keep refresh tokens out of JavaScript-readable storage when your architecture can use a secure server session. Clear the SDK token immediately on logout or an unrecoverable refresh failure. Do not log access tokens, refresh tokens, one-time codes, or OAuth authorization codes.