Customer authentication
Customer authentication is separate from Admin API authentication. Customer tokens grant access only to the shopper-facing identity and operations represented by that customer session.
Sign in
Call customerAccessTokenCreate with email and password. The payload returns an access token, refresh token, and access-token lifetime in seconds.
Send the access token as Authorization: Bearer <token> for customer and other authenticated requests.
Store and refresh safely
Treat both tokens as secrets. In browser applications, prefer an encrypted, Secure, HttpOnly, SameSite cookie managed by your server or backend-for-frontend; avoid exposing refresh tokens to JavaScript or persistent browser storage.
Refresh through customerAccessTokenRefresh before or after access-token expiry according to your session design. Replace both stored tokens with the newly returned pair. If refresh fails, clear the local session and require sign-in instead of retrying indefinitely.
Registration and recovery
customerRegister begins registration with an email address. Activation and password setup use the token delivered through your configured customer email workflow. Password-reset operations follow the same token-based pattern.
Do not reveal whether an email exists through custom UI wording, logs, or timing differences. Show a neutral confirmation such as “If the account exists, we sent instructions.”
Cart association
Create signed-in carts with the customer context, or update the cart after authentication. After sign-in, re-query the cart because customer groups can change prices, discounts, shipping methods, and payment gateway eligibility.