We are excited to announce new and improved authentication methods in Medusa, built in collaboration with community contributor David Preininger.
This update introduces a new authentication method and establishes a clear separation between the now three supported methods: Session, API Token, and Bearer Authentication. The separation will make it more obvious what to use for different cases. Whether your focus is server-side communication or SPAs, our authentication primitives will meet your needs.
Authentication methods
Following this update, Medusa supports three authentication methods that each serve specific use cases better.
Sessions
Our session authentication remains unchanged. This method is suitable for traditional server-side rendered web applications, such as webshops, because of its user-friendliness. Users sign in once, and the authenticated session is maintained throughout the rest of the user’s journey browsing the application.
API token
Our API token authentication method has been slightly updated to follow best practices and comply with established conventions. More specifically, the header type has changed from Authorization with a Copy to clipboardBearer prefix to a custom header tightly coupled with Medusa, Copy to clipboardx-medusa-access-token. The former is, not shockingly, reserved for bearer authentication. This method is suitable for server-to-server communication without direct user involvement.
Below is an example of using API key authentication:
This is the only breaking change in version 1.17.0.
Bearer token
Bearer token authentication is a new method that utilizes JWT tokens, making it a suitable choice for Jamstack applications. Use this type of authentication when serving content from an API to different clients, such as SPAs or mobile applications. Additionally, this method will eliminate issues related to cookie constraints in browsers.
The power of building in public
This is yet another demonstration of the power of building open-source software. Our new and improved authentication methods were completed by David Preininger, who specializes in building customizable ecommerce solutions.
Thanks to David for his contribution. If you wish to contribute or have feature requests for Medusa, you are always welcome to contact our core maintainers.
What’s next
There are several possible follow-up improvements to the authentication system or applications that use it. We will likely update Medusa Admin to use JWT Bearer authentication as this is more suitable for the aforementioned reasons.
Furthermore, David is working on incorporating these changes into the Medusa Authentication plugin built by core Medusa engineer Adrien. The plugin allows merchants to use additional authentication providers, including Google and Auth0.
Finally, we are considering implementing two additional features to enhance the system's flexibility and capabilities further.
Firstly, we aim to add native support for extending the authentication system with custom methods. This will allow for a more seamless integration of authentication methods specific to your business.
Secondly, we plan to introduce API token management in Medusa Admin, eliminating the need for users to jump through hoops when wanting to use the API token authentication method.
