Storefront API authentication and the Web checkout

7 2 4


We're using the Storefront API for our shop. Customers login to the storefront using the `customerAccessTokenCreate` mutation. We then associate the checkout with the customer using the `checkoutCustomerAssociateV2` mutation. However when we direct the user to the web checkout, they're not authenticated.

If they click the login link, they're taken to the custom domain login page where they can authenticate using the themes engine store. This is not ideal as they have to authenticate twice.

From spelunking through the forums and various Github issues, this appears to be the case because of valid security concerns. Is this still the case?

I am also unsure what's the purpose of `checkoutCustomerAssociateV2` and `customerAccessTokenCreate` if when you come to the most important part of most shops: the checkout, you're asked to login again.

What's the recommended implementation for the Storefront API? Should we be using the Themes Engine for all authenticated views (account management, etc) and only use it to build the Storefront API to build the anonymous parts of our storefront?