Skip to main content
The Storefront API uses OTP-based authentication. Customers receive a 4-digit verification code via SMS or email, verify it, and receive a Bearer token for authenticated requests.

Flow Overview

  1. Start — Send phone number or email to receive an OTP code
  2. Verify — Submit the OTP code to verify identity
  3. Complete — (New customers only) Provide name and email to finish registration

POST /auth/start

Start an authentication session. Auto-detects the type based on provided fields.

Authentication

None required (guest endpoint).

Request

Headers

Body Parameters

Provide either country_code + phone for phone authentication, or email for email authentication. The API auto-detects which flow to use.

Example Request

Response

Success (200)

Error Responses


POST /auth/phone/start

Dedicated phone authentication endpoint. Behaves identically to POST /auth/start with phone parameters but enforces phone-specific validation.

Body Parameters


POST /auth/initiate

Legacy authentication endpoint. Accepts a type field and nested data object instead of top-level fields.

Authentication

None required (guest endpoint).

Body Parameters

Response

Same as POST /auth/start.
This is a legacy endpoint maintained for backward compatibility. New integrations should use POST /auth/start instead.

POST /auth/verify

Verify the OTP code sent to the customer’s phone or email.

Authentication

None required (guest endpoint).

Request

Headers

Body Parameters

Example Request

Response

Existing Customer (200)

When the customer already exists in this store:

Customer From Another Store (200)

When the customer exists in another store but not in this one, a new customer record is automatically created for this store:
The type field can be either "authenticated" (existing customer in this store) or "new_customer" (auto-created from another store). Both cases return a token and the customer can proceed immediately.

New Customer (200)

When the phone/email is not registered in any store, the response indicates registration is required:
When requires_registration is true, you must call POST /auth/complete to finish creating the customer account.

Error Responses


POST /auth/phone/verify

Dedicated phone verification endpoint. Behaves identically to POST /auth/verify.

POST /auth/resend

Resend the OTP code for an active session.

Authentication

None required (guest endpoint).

Request

Body Parameters

Example Request

Response

Success (200)

Error Responses


POST /auth/phone/resend

Dedicated phone resend endpoint. Behaves identically to POST /auth/resend.

POST /auth/complete

Complete registration for new customers after OTP verification.

Authentication

None required (guest endpoint). Requires a verified session token.

Request

Body Parameters

Example Request

Response

Success (200)

Error Responses


Rate Limits Summary

Session Expiry

OTP sessions expire after 5 minutes. Expired sessions are automatically cleaned up. If a session expires, the customer must restart the authentication flow from POST /auth/start.