FleetbaseFleetbase
Start Free Trial

Customer Authentication

Configure customer authentication — SMS code, email/password, Apple, Google, and Facebook sign-in. The full registration, verification, and login flow with API examples.

Customer Authentication

Storefront provides a complete authentication system for your customers. On successful authentication, the API returns a Sanctum personal access token. Your customer-facing app stores this token and includes it on every authenticated request via the Customer-Token header (the storefront key still goes in Authorization: Bearer).

GET /storefront/v1/customers/me
Authorization: Bearer store_your_store_key
Customer-Token: 1|VlKK7lZ...

Authentication Methods

SMS Code (default)

The most common method for on-demand delivery apps. No password required — a one-time code is sent to the customer's phone.

Email / Phone + Password

Traditional credentials login. The login endpoint accepts an identity field that can be either an email or a phone number, plus a password.

Social Sign-In

Storefront supports:

  • Apple Sign-In — required by Apple for iOS apps that offer other social logins
  • Google Sign-In
  • Facebook Sign-In

Each social provider has its own login endpoint and required parameters — see Social Login below.

Registration Flow

Registration is a two-step flow. The customer first requests a verification code, then submits their details along with the code.

1. Request a verification code

POST /storefront/v1/customers/request-creation-code
Authorization: Bearer store_your_store_key

{
  "phone": "+15551234567"
}

The customer receives a code via SMS (or email if you pass email instead of phone).

2. Create the customer

POST /storefront/v1/customers
Authorization: Bearer store_your_store_key

{
  "name": "Jane Doe",
  "email": "customer@example.com",
  "phone": "+15551234567",
  "password": "securepassword",
  "code": "123456"
}

Phone numbers must include the international prefix (e.g. +1, +44). The API normalizes the value and prepends + automatically if missing.

Login

SMS Code Login

POST /storefront/v1/customers/login-with-sms
Authorization: Bearer store_your_store_key

{
  "phone": "+15551234567"
}

Verify the code that was sent:

POST /storefront/v1/customers/verify-code
Authorization: Bearer store_your_store_key

{
  "identity": "+15551234567",
  "code": "123456"
}

Email / Phone + Password Login

POST /storefront/v1/customers/login
Authorization: Bearer store_your_store_key

{
  "identity": "customer@example.com",
  "password": "securepassword"
}

The identity field can be either an email address or a phone number.

Response

All login endpoints return the same structure on success:

{
  "token": "1|VlKK7lZ...",
  "customer": {
    "id": "customer_abc123",
    "name": "Jane Doe",
    "email": "customer@example.com",
    "phone": "+15551234567"
  }
}

Store the token securely (e.g. iOS Keychain, Android Keystore, or expo-secure-store). Pass it on every authenticated request:

Customer-Token: 1|VlKK7lZ...

Social Login

Apple

POST /storefront/v1/customers/login-with-apple
Authorization: Bearer store_your_store_key

{
  "identityToken": "...",
  "authorizationCode": "...",
  "appleUserId": "...",
  "name": "Jane Doe"
}

Apple does not always return name/email — pass them along the first time, since they're omitted on subsequent sign-ins.

Google

POST /storefront/v1/customers/login-with-google
Authorization: Bearer store_your_store_key

{
  "idToken": "...",
  "clientId": "..."
}

Facebook

POST /storefront/v1/customers/login-with-facebook
Authorization: Bearer store_your_store_key

{
  "facebookUserId": "...",
  "email": "customer@example.com",
  "name": "Jane Doe"
}

Phone Verification (post-registration)

To verify a customer's phone after they've signed up (e.g. when they update it):

POST /storefront/v1/customers/request-phone-verification
POST /storefront/v1/customers/verify-phone-number

Account Closure

For App Store and Play Store compliance, expose an in-app account closure flow:

POST /storefront/v1/customers/account-closure
POST /storefront/v1/customers/confirm-account-closure

The first endpoint sends a confirmation code; the second confirms and closes the account.

Device Registration (push)

For push notifications to reach the customer, register their device token after authentication:

POST /storefront/v1/customers/register-device
Authorization: Bearer store_your_store_key
Customer-Token: 1|VlKK7lZ...

{
  "platform": "ios",
  "token": "<APNs or FCM device token>"
}

See Notifications for setting up the underlying APNs / FCM channels.

Stripe Helpers

If you use Stripe, two endpoints support saved-card / PaymentSheet flows:

POST /storefront/v1/customers/stripe-ephemeral-key
POST /storefront/v1/customers/stripe-setup-intent

Token Sessions

Tokens issued via these endpoints are Laravel Sanctum personal access tokens. Handle 401 Unauthorized by re-authenticating. Tokens can be revoked server-side by an admin.

If you are using the open-source Storefront App, authentication is already fully implemented with SMS code, email/password, Apple, Google, and Facebook — no additional setup needed beyond enabling the social providers via env vars.

On this page

Customer Authentication
Authentication Methods
SMS Code (default)
Email / Phone + Password
Social Sign-In
Registration Flow
1. Request a verification code
2. Create the customer
Login
SMS Code Login
Email / Phone + Password Login
Response
Social Login
Apple
Google
Facebook
Phone Verification (post-registration)
Account Closure
Device Registration (push)
Stripe Helpers
Token Sessions
Customer Authentication | Fleetbase