User

Signup

The signup mutation can be used to register and automatically authenticate a new user. Some unrequired arguments such as user.langISO and user.address.countryISO are deduced if not provided based on available IP information.

mutation Signup($user: SignUpInput!) {
  signup(user: $user) {
    accessToken # To be used in the Authorization header
    refreshToken # To reauthenticate when accessToken expires
    user {
      firstname
      lastname
    }
  }
}

{
  "user": {
    "firstname": "John",
    "lastname": "Doe",
    "email": "john.doe@example.com",
    "password": "my-password"
  }
}

{
  "data": {
    "signup": {
      "accessToken": "USER_ACCESS_TOKEN",
      "refreshToken": "USER_REFRESH_TOKEN",
      "user": {
        "firstname": "John",
        "lastname": "Doe"
      }
    }
  }
}

Signin

The signin mutation provides multiple methods of authentication as arguments, such as credentials, refreshToken, facebookToken, etc.

mutation Signin($credentials: SignInInput) {
  signin(credentials: $credentials) {
    accessToken # To be used in the Authorization header
    refreshToken # To reauthenticate when accessToken expires
    user {
      firstname
      lastname
    }
  }
}

{
  "credentials": {
    "email": "john.doe@example.com",
    "password": "my-password"
  }
}

{
  "data": {
    "signup": {
      "accessToken": "USER_ACCESS_TOKEN",
      "refreshToken": "USER_REFRESH_TOKEN",
      "user": {
        "firstname": "John",
        "lastname": "Doe"
      }
    }
  }
}

The accessToken from the response can then be set in the HTTP Authorization header to perform authenticated requests :

{
  "Authorization": "Bearer USER_ACCESS_TOKEN"
}

Anonymous Session

Some authenticated API paths allow the usage of a temporary session that can be associated to a newly created account in the future (e.g.: Cart operations). An Anonymous Session is created by using the signin mutation without arguments.

mutation Signin {
  signin {
    accessToken # To be used in the Authorization header
    refreshToken # To reauthenticate when accessToken expires
    anonymous
    user {
      firstname
      lastname
    }
  }
}

{
  "data": {
    "signup": {
      "accessToken": "ACCESS_TOKEN",
      "refreshToken": "REFRESH_TOKEN",
      "anonymous": "c8cf2519-1d3c-4812-ab56-12f6062ab731",
      "user": null
    }
  }
}

To upgrade the Anonymous Session into a regular user account, the signup mutation should be called with the HTTP Authorization header containing the accessToken of the Anonymous Session.

Password Reset

The password reset process is started with the retrievePassword mutation, which sends an url in an email with a token.

mutation PasswordReset {
  retrievePassword(email: "john.doe@example.com")
}

{
  "data": {
    "retrievePassword": true
  }
}

When the user navigates to the url, you can retrieve the token parameter and use it in the updateCredentials mutation as a validator :

mutation UpdateCredentials {
  updateCredentials(
    password: {
      value: "new password"
      validator: {
        token: "token_received_in_email"
        # password: "or_use_old_password"
      }
    }
  ) {
    password # true if successful
  }
}

{
  "data": {
    "updateCredentials": {
      "password": true
    }
  }
}