Customer authentication

Customer authentication in Geins provides a secure, jwt and signature-based authentication system for managing user sessions and access control across your applications using the merchant API.

It ensures secure credential transmission, prevents replay attacks, and provides robust session management through token-based authentication.

Use it to enable access to customer profiles, order history, and other protected resources. Also use it to identify the current user in order for personalized experiences or prefilled checkout.

Authentication flow

The Geins authentication process follows a two-step signature-based approach:

1. Challenge request: Send username to receive a signature challenge
2. Credential verification: Return signed credentials with password/action data
3. Token management: Receive and manage Bearer tokens and refresh tokens

This method prevents credential exposure and replay attacks while providing secure user session management.

Tokens

Two types of tokens are used for authentication:

• Bearer token: Short-lived JWT token for API authentication (default: 15 minutes)
• Refresh token: Longer-lived token for obtaining new Bearer tokens (default: 7 days)

Authentication functions

The authentication system supports five main functions:

1. Registration - Create new user accounts and establish initial authentication sessions.
2. Login - Authenticate existing users and establish active sessions.
3. Password change - Allow users to securely update their passwords while maintaining active sessions.
4. Token refresh - Maintain sessions by refreshing expired or soon-to-expire bearer tokens.
5. Logout - Securely terminate user sessions and invalidate all tokens.