banner iconIntroducing Bloom: Build Medusa stores with AI
Overview
Icon for Passwordless

Passwordless

Add SMS-based passwordless login

Medusa Plugin - Passwordless Authentication

Documentation | Website

A plugin for implementing passwordless authentication in Medusa

Features

  • 🔐 Phone number based authentication
  • 🔢 Secure verification code generation and validation
  • ⏱️ Rate limiting with maximum attempt controls
  • ⏳ Code expiration management
  • 🔌 Easy integration with existing Medusa stores

This plugin requires:

Installation

  1. Install the plugin:
npm install @devx-commerce/passwordless
  1. Add the plugin to your Copy to clipboardmedusa-config.js:
{
  resolve: "@medusajs/medusa/auth",
  options: {
    providers: [
      {
        resolve: `@devx-commerce/passwordless/providers/passwordless`,
        id: "passwordless",
        options: {
          jwtSecret: "secret",              // JWT secret for token generation


          limeChatOptions: {
            webhookUrl: process.env.LIMECHAT_WEBHOOK_URL,
            typeId: process.env.LIMECHAT_TYPE_ID,
          },


          // Optional configuration
          codeLength: 6,                    // Length of verification code (default: 4)
          codeExpiryMinutes: 10,            // Code expiration time in minutes (default: 15)
          maxAttempts: 5,                   // Maximum verification attempts (default: 3)
          smsRateLimitMinutes: 5,           // Time between SMS requests in minutes (default: 10)

Configuration Options

Security Settings

  • Copy to clipboardcodeLength: Length of verification code (default: 4)
  • Copy to clipboardcodeExpiryMinutes: Code expiration time in minutes (default: 3)
  • Copy to clipboardmaxAttempts: Maximum verification attempts (default: 3)
  • Copy to clipboardsmsRateLimitMinutes: Time between SMS requests in minutes (default: 10)
  • Copy to clipboardblockDurationMinutes: Block duration after max attempts in minutes (default: 5)

How It Works

  1. Authentication Flow:
    • User provides phone number
    • System generates a secure verification code
    • User enters the code to complete authentication
  2. Security Features:
    • Rate limiting prevents abuse
    • Maximum attempt controls
    • Code expiration
    • Secure code generation

Usage

The plugin provides two main endpoints:

  1. Authentication Request
POST /auth/customer/passwordless
{
  "phone": "+1234567890"
}
  1. Verification
POST /auth/customer/passwordless/callback
{
  "phone": "+1234567890",
  "code": "1234"
}

Phone Number Format

Phone numbers must be in E.164 format:

  • Starts with '+'
  • Country code
  • National number
  • Example: +1234567890

Error Handling

The plugin provides clear error messages for various scenarios:

  • Invalid phone number format
  • Rate limit exceeded
  • Maximum attempts exceeded
  • Invalid or expired code
  • Provider-specific errors

You may also like

Browse all integrations

Build your own

Develop your own custom integraiton

Build your own integration with our API to speed up your processes. Make your integration available via npm for it to be shared in our Library with the broader Medusa community.

payment iconcart icongift icon
Get started
gift card interface

Ready to build your custom commerce setup?

Starter DocsGet started