We have a shopify app that lets users create a mobile app for their shopify stores. Now we are trying to implement a new feature which is passwordless login using OTP. I came across this link about the customer access token that can be generated using just the customer’s email and password, but the issue is that the token generated has an expiration. So this can cause a issue as if we again try to create this customer access token we will need the password of that customer and cannot be possible without storing the password of the customer in our databases which can cause a potential privacy violation. So is there any way we can implement this feature without storing the password of the customers.
Topic summary
Implementing passwordless (OTP—One-Time Password) login for a Shopify-store mobile app using customerAccessTokenCreate is constrained by token expiration and the need for the customer’s password to create new tokens. Storing customer passwords is a privacy concern for the team.
Key clarifications and suggestions:
- customerAccessTokenCreate requires a password; it cannot be truly passwordless with this mutation alone (per Shopify docs). One suggestion was to store the password encrypted (e.g., AES) and decrypt when generating tokens.
- If on Shopify Plus, enable Multipass and use customerAccessTokenCreateWithMultipass to achieve a passwordless/SSO-like flow without storing customer passwords.
Outcomes and decisions: The original poster acknowledged the Multipass suggestion and intended to check it. No final implementation details were reported.
Current status: Unresolved. Later participants asked for updates and potential solutions.
Open questions: For non–Shopify Plus stores, whether a secure, fully passwordless approach (without storing passwords) is feasible with Shopify’s Storefront API remains unanswered.
Hi Sandeep, instead of storing raw Password use a encryption algorithm to encode the password and store in DB.
whenever you are generating token read enc Password from DB and decode. For example you can use AES ALGO
Hope it helps.
So, is password necessary for customerAccessToken? or can we implement this without password.
Yes password is necessary for generating customer access token
Hi Sandeep,
If you are using Shopify Plus, then enable Multipass, so that you can implement “Passwordless Login” by using this API.
Hope it helps.
1 Like
Thank You
Thank you. I will check this
HI @sandeepks23 - did you end up going this route? We are in a similar position and are evaluating passwordless login options. Would love to know where you ended up.
did you find any potential solution for this (passwordless login)??