AuthenticationService (accessed via client.authentication) is the gateway to obtaining customer session tokens. It handles customer registration, login, passwordless flows, password management, and session refresh.
Every customer-scoped operation across the SDK — on client.customers, client.cartWishlist, client.giftCards, and client.messaging — requires the access_token minted here to be passed as the xAuthToken header.
Already using your own auth provider? If your storefront authenticates through Auth0, Clerk, Cognito, Firebase, NextAuth, SSO, or any other external identity system, you don’t need this service. Use
CustomersService to provision Galactic Core customer records directly from your backend. See Customers and Auth for the decision matrix.The Customer Session Lifecycle
Access tokens are JWTs valid for 1 hour. Refresh tokens are long-lived but single-use — each
refreshToken call returns a brand-new refresh token that supersedes the previous one.Core Authentication
register
Create a new customer account. On success, returns 201 Created along with session tokens so you can log the user in immediately.
Pass marketing_consent: true when the sign-up form includes a marketing opt-in box and the customer checked it. It defaults to false (opt-in) — a customer is never subscribed to marketing without affirmative consent. The customer can change this later via updateCustomer.
Response (201)
login
Authenticate an existing customer using their email and password. Returns 200 OK.
logout
Invalidate the current session. Revokes both the access and refresh tokens on the server. Returns 200 OK.
Passwordless Flows (Magic Links & OTP)
sendMagicLink
Send a passwordless authentication link and a 6-digit OTP code to the customer’s email. Codes are valid for 15 minutes. Returns 200 OK with a hint to check email.
verifyOtp
Verify the 6-digit OTP code emitted by sendMagicLink to complete authentication. Returns 200 OK with the same response shape as login (message, user, customer, session).
Password Management
resetPassword
Trigger a password reset email for a customer who has forgotten their password. Returns 200 OK.
updatePassword
Update the password for the currently authenticated user. Returns 200 OK.
Session Utilities
refreshToken
Exchange a refresh token for a fresh access token. Returns 200 OK with a brand-new session object (including a rotated refresh_token).
getCurrentUser
Retrieve the lightweight identity of the currently authenticated user — useful right after login to confirm “who am I?” Also routed as GET /v1/auth/me. Returns 200 OK with { user, customer }.
Response (200)
Looking for the full customer profile?
getCurrentUser returns just enough to identify the customer (id, email, basic fields). For the complete profile — addresses, store metrics, purchase history, status — call CustomersService.getCustomer. The same xAuthToken works there. Profile edits (address change, name change, etc.) also live on CustomersService via updateCustomer.Full Lifecycle Example
This walks the customer from sign-in, through a cart mutation and checkout, to logout — showing wherexAuthToken flows.
Response Codes
Token Lifetime: Access tokens are valid for 1 hour. We recommend implementing an interceptor in your application to automatically call
refreshToken before the access token expires.
