www/apps/resources/app/js-sdk/auth/overview/page.mdx
import { Table, CodeTabs, CodeTab } from "docs-ui"
export const metadata = {
title: Authentication in JS SDK,
}
In this guide, you'll learn about the default authentication setup when using the JS SDK, how to customize it, and how to send authenticated requests to Medusa's APIs.
The JS SDK facilitates authentication by storing and managing the necessary authorization headers or sessions for you.
There are three types of authentication:
<Table> <Table.Header> <Table.Row> <Table.HeaderCell> Method </Table.HeaderCell> <Table.HeaderCell> Description </Table.HeaderCell> <Table.HeaderCell> When to use </Table.HeaderCell> </Table.Row> </Table.Header> <Table.Body> <Table.Row> <Table.Cell> JWT token (default) </Table.Cell> <Table.Cell> When you log in a user, the JS SDK stores the JWT for you and automatically includes it in the headers of all requests to the Medusa API. This means you don't have to manually set the authorization header for each request. When the user logs out, the SDK clears the stored JWT. </Table.Cell> <Table.Cell> - You need stateless authentication. For example, you're building a mobile storefront with React Native. - Keep in mind: when logging out, the JS SDK clears the token from storage. However, if the user still has access to the token, they can still send authenticated requests. </Table.Cell> </Table.Row> <Table.Row> <Table.Cell> Cookie session </Table.Cell> <Table.Cell> When you log in a user, the JS SDK stores the session cookie for you and automatically includes it in the headers of all requests to the Medusa API. This means you don't have to manually set the authorization header for each request. When the user logs out, the SDK destroys the session cookie using Medusa's API. </Table.Cell> <Table.Cell> - You need stateful authentication. For example, you're building a web storefront with Next.js or customizations in Medusa Admin. - You want to ensure the session is revoked when the user logs out. </Table.Cell> </Table.Row> <Table.Row> <Table.Cell> Secret API Key </Table.Cell> <Table.Cell> Only available for admin users. You pass the API key in the JS SDK configurations, and it's always passed in the headers of all requests to the Medusa API. </Table.Cell> <Table.Cell> - You're authenticating the admin user. - Keep in mind: the API key must be stored securely and not exposed to the client-side code. </Table.Cell> </Table.Row> </Table.Body> </Table>The JS SDK provides a set of configurations to customize the authentication method and storage. You can set these configurations when initializing the SDK.
<Note title="Tip">For a full list of JS SDK configurations and their possible values, check out the JS SDK Overview documentation.
</Note>By default, the JS SDK uses JWT token (jwt) authentication. You can change the authentication method or type by setting the auth.type configuration to session.
For example:
import Medusa from "@medusajs/js-sdk"
export const sdk = new Medusa({
// ...
auth: {
type: "session",
},
})
To use a secret API key instead, pass it in the apiKey configuration instead:
import Medusa from "@medusajs/js-sdk"
export const sdk = new Medusa({
// ...
apiKey: "your-api-key",
})
The provided API key will be passed in the headers of all requests to the Medusa API.
By default, the JS SDK stores the JWT token in the localStorage under the medusa_auth_token key.
Some environments or use cases may require a different storage method or localStorage may not be available. For example, if you're building a mobile app with React Native, you might want to use AsyncStorage instead of localStorage.
You can change the storage method by setting the auth.jwtTokenStorageMethod configuration to one of the following values:
To use a custom storage method, you need to set the auth.jwtTokenStorageMethod configuration to custom and provide your own implementation of the storage method in the auth.storage configuration.
The object or class passed to auth.storage configuration must have the following methods:
setItem: A function that accepts a key and value to store the JWT token.getItem: A function that accepts a key to retrieve the JWT token.removeItem: A function that accepts a key to remove the JWT token from storage.For example, to use AsyncStorage in React Native:
import AsyncStorage from "@react-native-async-storage/async-storage"
import Medusa from "@medusajs/js-sdk"
let MEDUSA_BACKEND_URL = "http://localhost:9000"
if (process.env.NEXT_PUBLIC_MEDUSA_BACKEND_URL) {
MEDUSA_BACKEND_URL = process.env.NEXT_PUBLIC_MEDUSA_BACKEND_URL
}
export const sdk = new Medusa({
baseUrl: MEDUSA_BACKEND_URL,
debug: process.env.NODE_ENV === "development",
publishableKey: process.env.NEXT_PUBLIC_MEDUSA_PUBLISHABLE_KEY,
auth: {
type: "jwt",
jwtTokenStorageMethod: "custom",
storage: AsyncStorage,
},
})
In this example, you specify the jwtTokenStorageMethod as custom and set the storage configuration to AsyncStorage. This way, the JS SDK will use AsyncStorage to store and manage the JWT token instead of localStorage.
By default, if you set the auth.type configuration in the JS SDK to session, the JS SDK will pass the credentials: include option in the underlying fetch requests.
However, some platforms or environments may not support passing this option. For example, if you're using the JS SDK in a server-side environment or a mobile app, you might want to set the credentials option to same-origin or omit.
You can change the credentials option by setting the auth.fetchCredentials configuration to one of the following values:
For example:
import Medusa from "@medusajs/js-sdk"
export const sdk = new Medusa({
// ...
auth: {
type: "session",
fetchCredentials: "same-origin",
},
})
In this example, you set the fetchCredentials configuration to same-origin, which means the JS SDK will include cookies and authorization headers in the requests to the Medusa API only if the request is made to the same origin as the current page.
If you're using an API key for authentication, you don't need to log in the user.
</Note>The JS SDK has an auth.login method that allows you to login admin users, customers, or any actor type with any auth provider.
Not only does this method log in the user, but it also stores the JWT token or session cookie for you and automatically includes it in the headers of all requests to the Medusa API. This means you don't have to manually set the authorization header for each request.
For example:
<CodeTabs group="auth-actor-type"> <CodeTab label="Admin User" value="admin">sdk.auth.login("user", "emailpass", {
email,
password,
})
.then((data) => {
if (typeof data === "object" && data.location){
// authentication requires more actions
}
// user is authenticated
})
.catch((error) => {
// authentication failed
})
sdk.auth.login("customer", "emailpass", {
email,
password,
})
.then((data) => {
if (typeof data === "object" && data.location){
// authentication requires more actions
}
// customer is authenticated
})
.catch((error) => {
// authentication failed
})
sdk.auth.login("manager", "emailpass", {
email,
password,
})
.then((data) => {
if (typeof data === "object" && data.location){
// authentication requires more actions
}
// manager is authenticated
})
.catch((error) => {
// authentication failed
})
In this example, you call the sdk.auth.login method passing it the actor type (for example, user), the provider (emailpass), and the credentials.
If the authentication is successful, there are two types of returned data:
location property: This means the authentication requires more actions, which happens when using third-party authentication providers, such as Google. In that case, you need to redirect the customer to the location to complete their authentication.
If the authentication fails, the catch block will be executed, and you can handle the error accordingly.
You can learn more about this method in the auth.login reference.
If you need to set the JWT token manually, you can use the sdk.client.setToken method. All subsequent requests will be authenticated with the provided token.
For example:
sdk.client.setToken("your-jwt-token")
// all requests sent after this will be authenticated with the provided token
You can also clear the token manually as explained in the Manually Clearing JWT Token section.
If you're using an API key for authentication, you can't log out the user. You'll have to unset the API key in the JS SDK configurations.
</Note>The JS SDK has an auth.logout method that allows you to log out the currently authenticated user.
If the JS SDK's authentication type is jwt, the method will only clear the stored JWT token from the local storage. If the authentication type is session, the method will destroy the session cookie using Medusa's /auth/session API route.
Any request sent after logging out will not be authenticated, and you will need to log in again to authenticate the user.
For example:
sdk.auth.logout()
.then(() => {
// user is logged out
})
You can learn more about this method in the auth.logout reference.
If you need to clear the JWT token manually, you can use the sdk.client.clearToken method. This will remove the token from the local storage and all subsequent requests will not be authenticated.
For example:
sdk.client.clearToken()
// all requests sent after this will not be authenticated