Loading...
Loading...
Commerce Engine authentication and user management. Anonymous auth, OTP login (email/phone/WhatsApp), password auth, token refresh, user profiles, and customer groups.
npx skill4agent add commercengine/skills ce-authLLM Docs Header: All requests tomust include thehttps://llm-docs.commercengine.ioheader (or appendAccept: text/markdownto the URL path). Without it, responses return HTML instead of parseable markdown..md
Prerequisite: SDK must be initialized. Seeif not done.setup/
getAnonymousTokenStorefrontSDKInitializersetup/onTokensUpdatedgetUserDetails()listOrders()| Auth Method | Endpoint | Use Case |
|---|---|---|
| Anonymous | | Every new visitor, required first step |
| Email OTP | | Passwordless email login |
| Phone OTP | | Passwordless phone login |
| WhatsApp OTP | | Passwordless WhatsApp login |
| Password | | Traditional email/password login |
| Token Refresh | | Renew expired access token |
User Request
│
├─ New visitor / first load
│ └─ sdk.auth.getAnonymousToken()
│
├─ "Login" / "Sign in"
│ ├─ Passwordless (recommended)
│ │ ├─ Email → loginWithEmail() → verifyOtp()
│ │ ├─ Phone → loginWithPhone() → verifyOtp()
│ │ └─ WhatsApp → loginWithWhatsApp() → verifyOtp()
│ └─ Password → loginWithPassword()
│
├─ "User profile" / "Account"
│ └─ sdk.auth.getUserDetails() / sdk.auth.updateUserDetails()
│
└─ "Token expired" / 401 error
└─ sdk.auth.refreshToken()| State | How Created | Capabilities |
|---|---|---|
| Anonymous | | Browse catalog, manage cart, analytics tracking |
| Logged-in | OTP verification or password login | All anonymous + orders, addresses, profile, loyalty |
const { data, error } = await sdk.auth.getAnonymousToken();
// Tokens are automatically stored and managed
// Now the user can browse products, add to cart, etc.// 1. Initiate login (also registers new users automatically)
const { data, error } = await sdk.auth.loginWithEmail({
email: "user@example.com",
register_if_not_exists: true, // Seamless login + registration
});
if (error) return handleError(error);
const { otp_token, otp_action } = data;
// 2. User enters OTP from their email...
// 3. Verify OTP
const { data: authData, error: verifyError } = await sdk.auth.verifyOtp({
otp: "123456", // From user input
otp_token: otp_token, // From step 1
otp_action: otp_action, // From step 1
});
// Tokens are automatically updated — user is now logged inconst { data, error } = await sdk.auth.loginWithPhone({
phone: "9876543210",
country_code: "+91",
register_if_not_exists: true,
});
// Then verify with sdk.auth.verifyOtp() same as email flowconst { data, error } = await sdk.auth.loginWithPassword({
email: "user@example.com",
password: "securepassword",
});
// Tokens automatically managed on success// The SDK handles this automatically with tokenStorage
// For manual refresh:
const { data, error } = await sdk.auth.refreshToken({
refresh_token: storedRefreshToken,
});// Get user details
const { data, error } = await sdk.auth.getUserDetails({ id: userId });
// Update user details
const { data, error } = await sdk.auth.updateUserDetails({ id: userId }, {
first_name: "Jane",
last_name: "Doe",
});// Change password (logged-in user)
const { data, error } = await sdk.auth.changePassword({
old_password: "currentPass",
new_password: "newPass",
confirm_password: "newPass",
});
// Forgot password flow
const { data } = await sdk.auth.forgotPassword({ email: "user@example.com" });
// Returns otp_token → user enters OTP → then:
const { data: resetData } = await sdk.auth.resetPassword({
otp_token: data.otp_token,
new_password: "newPass",
});register_if_not_existsregister_if_not_exists: true| Level | Issue | Solution |
|---|---|---|
| CRITICAL | Calling API without anonymous auth | Always call |
| CRITICAL | Storing tokens insecurely | Use |
| HIGH | Separate login/register flows | Use |
| HIGH | Forgetting | Must pass both |
| HIGH | Not handling 401 errors | Implement token refresh — if refresh fails, re-authenticate |
| MEDIUM | Ignoring | Always check |
setup/cart-checkout/orders/nextjs-patterns/