AvatarPortfolio

Authentication Approach in Headless Architecture

Achieving both customer experience and security with passwordless authentication

passwordlessauthenticationOTPsecurity
3 min read

About This Article

In headless EC, the frontend and backend are separated, making authentication mechanisms more complex. This project adopted passwordless authentication to achieve both customer experience and security.

Why Passwordless

Problems with Password Authentication

Traditional password authentication has many challenges.

Benefits of Passwordless Authentication

Authentication Flow Overview

Login Flow

Login request

Customer enters email address and clicks "Login"

Send verification code

System generates one-time password (6-digit number) and sends via email

Enter code

Customer enters received code on screen

Verify code

Verify if entered code is correct and within validity period

Issue session

On successful verification, issue token to maintain authenticated state

Maintain authentication

Subsequent requests authenticated with token. Re-login required when expired

System Integration

Passwordless Authentication Configuration
Customer

Enter email, enter OTP, access when authenticated

Your Server

OTP generation/verification, session token issuance

Email Server

Send OTP to customer via email

Security Measures

Unauthorized Access Prevention

The following measures are implemented to operate passwordless authentication safely.

Session Management Approach

Session Token Lifecycle
Login success

OTP verification passes, authentication complete

Token issuance

Issue session token with 7-day validity

Check validity on access

Valid -> Continue use / Expired -> Request re-login

Implementation Points in Headless Architecture

Frontend and Backend Separation

In headless architecture, authentication state management requires attention.

Authentication in Headless Architecture
Frontend (Next.js, etc.)

Login UI, token storage, auth state management, auto logout

Backend (API Routes)

OTP generation, OTP verification, token issuance, Shopify API integration

Token storage location: HttpOnly Cookie (recommended), sent with Secure attribute, protected with SameSite=Strict

Supporting Multiple Authentication Methods

Multiple authentication methods are supported for customer convenience.

  • Email OTP: Standard passwordless authentication
  • Shopify Customer Account API: Leverage Shopify's authentication infrastructure
  • Social login: Integration with Google, Apple, etc. (future support)

Benefits of This Authentication Method

For Customers

  • No need to remember passwords
  • Easy login with just email address
  • Reduced security concerns

For Operations

  • No password reset handling needed
  • Reduced account takeover risk
  • Simplified security implementation
Customer Data SecurityMetafield Management

Related Topics

Why Not Store Customer Data Internally

Design decisions from the perspective of security risks and legal liability

securitypersonal data protectiondata management

Choosing Not to Store Customer Data Internally

Design philosophy of storing customer data in Shopify from security and operational cost perspectives

customer dataShopifysecurity

API Authentication and Security

Security design and authentication methods for point balance retrieval API

API authenticationsecuritytoken