New and improved authentication methods

Sep 29, 2023 by

undefined avatar

Oliver Juhl

undefined avatar

Oliver Juhl

In collaboration with our community, we have improved support for Admin authentication by introducing three separate approaches: Session, API Token, and Bearer Authentication.
We are excited to announce new and improved authentication methods in Medusa, built in collaboration with community contributor David Preininger.
This update introduces a new authentication method and establishes a clear separation between the now three supported methods: Session, API Token, and Bearer Authentication. The separation will make it more obvious what to use for different cases. Whether your focus is server-side communication or SPAs, our authentication primitives will meet your needs.

Authentication methods

Following this update, Medusa supports three authentication methods that each serve specific use cases better.


Our session authentication remains unchanged. This method is suitable for traditional server-side rendered web applications, such as webshops, because of its user-friendliness. Users sign in once, and the authenticated session is maintained throughout the rest of the user’s journey browsing the application.

API token

Our API token authentication method has been slightly updated to follow best practices and comply with established conventions. More specifically, the header type has changed from Authorization with a
Copy to clipboard
prefix to a custom header tightly coupled with Medusa,
Copy to clipboard
. The former is, not shockingly, reserved for bearer authentication. This method is suitable for server-to-server communication without direct user involvement.
Below is an example of using API key authentication:
Image modal
This is the only breaking change in version 1.17.0.

Bearer token

Bearer token authentication is a new method that utilizes JWT tokens, making it a suitable choice for Jamstack applications. Use this type of authentication when serving content from an API to different clients, such as SPAs or mobile applications. Additionally, this method will eliminate issues related to cookie constraints in browsers.

The power of building in public

This is yet another demonstration of the power of building open-source software. Our new and improved authentication methods were completed by David Preininger, who specializes in building customizable ecommerce solutions.
Thanks to David for his contribution. If you wish to contribute or have feature requests for Medusa, you are always welcome to contact our core maintainers.

What’s next

There are several possible follow-up improvements to the authentication system or applications that use it. We will likely update Medusa Admin to use JWT Bearer authentication as this is more suitable for the aforementioned reasons.
Furthermore, David is working on incorporating these changes into the Medusa Authentication plugin built by core Medusa engineer Adrien. The plugin allows merchants to use additional authentication providers, including Google and Auth0.
Finally, we are considering implementing two additional features to enhance the system's flexibility and capabilities further.
Firstly, we aim to add native support for extending the authentication system with custom methods. This will allow for a more seamless integration of authentication methods specific to your business.
Secondly, we plan to introduce API token management in Medusa Admin, eliminating the need for users to jump through hoops when wanting to use the API token authentication method.

Share this post

Try Medusa

Spin up your environment in a few minutes.