ce-auth
LLM Docs Header: All requests to
https://llm-docs.commercengine.iomust include theAccept: text/markdownheader (or append.mdto the URL path). Without it, responses return HTML instead of parseable markdown.
Authentication & User Management
Prerequisite: SDK must be initialized. See
setup/if not done.
When to Implement Auth Directly
If using Hosted Checkout, login and registration are usually handled inside the checkout drawer. Build custom auth UI only when the storefront needs logged-in state outside checkout, for example:
- account pages
- saved addresses
- order history
- loyalty or wallet pages
- a persistent signed-in header state
Current Mental Model
- Public product and category reads can use
public()and do not require anonymous auth. - Live cart, account, and checkout flows should use the session client.
- In managed session mode, the SDK can bootstrap anonymous auth automatically on the first token-required request.
- If you need the anonymous session eagerly, call
sdk.ensureAccessToken()once during startup.
Quick Reference
| Auth Method | Endpoint | Use Case |
|---|---|---|
| Anonymous bootstrap | sdk.ensureAccessToken() or sdk.auth.getAnonymousToken() |
Start a live session |
| Email OTP | sdk.auth.loginWithEmail() -> sdk.auth.verifyOtp() |
Passwordless email login |
| Phone OTP | sdk.auth.loginWithPhone() -> sdk.auth.verifyOtp() |
Passwordless phone login |
| WhatsApp OTP | sdk.auth.loginWithWhatsApp() -> sdk.auth.verifyOtp() |
Passwordless WhatsApp login |
| Password login | sdk.auth.loginWithPassword() |
Traditional login |
| Password registration | sdk.auth.registerWithPassword() -> OTP verification |
Password sign-up |
| Forgot password | sdk.auth.forgotPassword() -> sdk.auth.resetPassword() |
Reset password with OTP |
| Token refresh | sdk.auth.refreshToken() |
Renew expired access token |
Decision Tree
User Request
│
├─ Public catalog-only page
│ └─ No auth bootstrap needed; use public()
│
├─ New visitor starting a live session
│ └─ sdk.ensureAccessToken()
│
├─ "Login" / "Sign in"
│ ├─ Passwordless → loginWithEmail/Phone/WhatsApp() → verifyOtp()
│ └─ Password → loginWithPassword()
│
├─ "Register"
│ └─ registerWithPassword() / registerWithPhonePassword() → verifyOtp()
│
├─ "Forgot password"
│ └─ forgotPassword() → resetPassword()
│
├─ "Account" / "Profile"
│ └─ getUserDetails() / updateUserDetails()
│
└─ "Token expired" / 401
└─ refreshToken() or rely on managed session refresh
User States
| State | How Created | Capabilities |
|---|---|---|
| Public | public() accessor only |
Public catalog/store/helper reads |
| Anonymous session | sdk.ensureAccessToken() or /auth/anonymous |
Cart, checkout, analytics, session continuity |
| Logged-in session | OTP verification, password login, or password reset completion | All anonymous capabilities plus account, orders, addresses, loyalty |
User ID vs Customer ID
For most stores, user_id and customer_id are the same value — one user = one customer. In B2B storefronts, one customer can have multiple users (e.g., a company account with multiple employees).
The SDK exposes helpers to fetch both:
const userId = await sdk.getUserId();
const customerId = await sdk.getCustomerId();
Most SDK methods that require a user or customer ID have parameterless overloads that auto-resolve from the current session. For example, sdk.cart.getUserCart() (no params) fetches the cart for the logged-in user automatically. Only pass IDs explicitly when operating on behalf of a different user (admin scenarios).
Key Patterns
Start a live anonymous session
const sdk = storefront.session();
await sdk.ensureAccessToken();
Call this once during startup if you want eager bootstrap. Do not repeat it before ordinary session-aware cart, order, or customer calls.
OTP Login Flow (Email)
const { data, error } = await sdk.auth.loginWithEmail({
email: "user@example.com",
register_if_not_exists: true,
});
if (error) throw error;
const { otp_token, otp_action } = data!;
const { error: verifyError } = await sdk.auth.verifyOtp({
otp: "123456",
otp_token,
otp_action,
});
if (verifyError) throw verifyError;
Password Login
const { data, error } = await sdk.auth.loginWithPassword({
email: "user@example.com",
password: "securepassword",
});
if (error) throw error;
Password Registration
Password registration is OTP-first in the latest contract.
const { data, error } = await sdk.auth.registerWithPassword({
email: "user@example.com",
password: "securepassword",
confirm_password: "securepassword",
});
if (error) throw error;
await sdk.auth.verifyOtp({
otp: "123456",
otp_token: data!.otp_token,
otp_action: data!.otp_action,
});
Forgot Password
const { data, error } = await sdk.auth.forgotPassword({
email: "user@example.com",
});
if (error) throw error;
await sdk.auth.resetPassword({
otp: "123456",
otp_token: data!.otp_token,
new_password: "newPass123",
confirm_password: "newPass123",
});
User Profile
Auth client methods require explicit IDs (no parameterless overloads). Use sdk.getUserId() to get the current user's ID:
const userId = await sdk.getUserId();
const { data: userData } = await sdk.auth.getUserDetails({ id: userId! });
await sdk.auth.updateUserDetails({ id: userId! }, {
first_name: "Jane",
last_name: "Doe",
});
Key Feature: register_if_not_exists
Setting register_if_not_exists: true on login endpoints eliminates separate login and sign-up entry points. If the user does not exist, Commerce Engine creates the account and continues the OTP flow.
This is also the recommended approach for checkout auth — there is no separate "guest checkout" flow. The user provides their email or phone, gets verified via OTP, and the account is created if needed. This path of least resistance ensures address verification and order attribution. Hosted Checkout handles this entire flow automatically.
Logout
Logout is handled by Hosted Checkout when using managed auth mode — the checkout UI includes login/logout. The SDK also exposes sdk.auth.logout() for custom logout buttons:
const { data, error } = await sdk.auth.logout();
logout() does not clear tokens — it returns new tokens with reduced privileges. The session continues with full continuity (same cart, same analytics trail), but the user is no longer in a logged-in state. The SDK's onTokensUpdated callback fires with the new tokens, so Hosted Checkout (if using authMode: "provided") automatically receives them.
Common Pitfalls
| Level | Issue | Solution |
|---|---|---|
| CRITICAL | Using public() for auth or account operations |
Use the session client |
| CRITICAL | Assuming every page needs anonymous auth | Public reads do not; only live session flows do |
| HIGH | Building separate login and sign-up flows by default | Prefer register_if_not_exists: true where appropriate |
| HIGH | Forgetting otp_token and otp_action between steps |
Persist both and pass them to verifyOtp() |
| HIGH | Storing tokens insecurely or with the wrong storage for the runtime | Use managed session storage appropriate to the environment |
| MEDIUM | Ignoring { data, error } |
Always check error before using data |
See Also
setup/- SDK installation and session storagecart-checkout/- Checkout flows and Hosted Checkoutorders/- Logged-in order flowsssr-patterns/- Server Actions/functions for auth mutations (Next.js, TanStack Start)
Documentation
- Authentication Guide: https://www.commercengine.io/docs/storefront/authentication
- My Account: https://www.commercengine.io/docs/storefront/my-account
- LLM Reference: https://llm-docs.commercengine.io/storefront/operations/get-anonymous-token