Authentication

Quark Commerce uses JWT (JSON Web Tokens) for authentication. The auth endpoints are at /api/auth/.

Auth Flow

Endpoints

Register

POST /api/auth/register
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "SecurePassword123!",
  "firstName": "John",
  "lastName": "Doe"
}

Response: 200 OK

{ "message": "Registration successful" }

POST /api/auth/login
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "SecurePassword123!"
}

Response: 200 OK

{
  "accessToken": "eyJhbGciOiJIUzI1NiIs...",
  "refreshToken": "dGhpcyBpcyBhIHJlZnJlc2g...",
  "user": {
    "id": "guid",
    "email": "user@example.com",
    "firstName": "John",
    "lastName": "Doe",
    "roles": ["Customer"]
  }
}

Change Password

POST /api/auth/change-password
Authorization: Bearer <token>
Content-Type: application/json

{
  "currentPassword": "OldPassword123!",
  "newPassword": "NewPassword456!"
}

Forgot Password

POST /api/auth/forgot-password
Content-Type: application/json

{
  "email": "user@example.com",
  "resetBaseUrl": "https://store.example.com/reset-password"
}

The API sends a password reset email (if the email exists) with a link to {resetBaseUrl}?token={token}. The response always returns success to avoid revealing whether the email exists.

Reset Password

POST /api/auth/reset-password
Content-Type: application/json

{
  "token": "reset-token-from-email",
  "newPassword": "NewSecurePassword789!"
}

Security Best Practices

Recommended Token Storage

Access token: Store in memory only (JavaScript variable). Never in localStorage or sessionStorage.
Refresh token: Store in an HttpOnly cookie (set by the server or managed by your app).
This prevents XSS attacks from accessing tokens.

Protected Endpoints

Most storefront endpoints are public (product browsing, categories, etc.). These endpoints require authentication:

Endpoint	Description
`GET /api/storefront/orders`	User's order history
`GET /api/storefront/basket/user`	User's basket
`POST /api/storefront/checkout/*`	Checkout operations
`GET /api/storefront/profile`	User profile
`/api/storefront/addresses/`	Address management
`POST /api/storefront/gdpr/*`	GDPR data requests

Error Responses

Status	Meaning
`401 Unauthorized`	Missing or invalid token
`403 Forbidden`	Valid token but insufficient permissions (or license issue)
`400 Bad Request`	Invalid request body

Auth Flow​

Endpoints​

Register​

Login​

Change Password​

Forgot Password​

Reset Password​

Security Best Practices​

Protected Endpoints​

Error Responses​