Authentication & Account
User authentication, sessions, and account management
Manage user authentication, sessions, and account profiles using the sdk.auth and sdk.account modules.
Arky uses a magic-link email flow for admin/platform users. Request a code, verify it, and tokens are returned. Access tokens are short-lived (1 hour); refresh tokens last 7 days.
These endpoints authenticate admin/platform users (store owners, team members). For profile-facing auth in a storefront, use the CRM profile auth flow.
Authentication (sdk.auth)
Request Auth Code
Request a magic link code for email authentication.
/v1/auth/code sdk.auth.code(params) Parameters
| Name | Type | Description |
|---|---|---|
email required | string | User email address |
await sdk.auth.code({
email: '[email protected]',
});
// User receives email with verification codeVerify Auth Code
Verify the code received via email. On success, tokens are automatically set.
/v1/auth/verify sdk.auth.verify(params) Parameters
| Name | Type | Description |
|---|---|---|
email required | string | User email address |
code required | string | Verification code from email |
const result = await sdk.auth.verify({
email: '[email protected]',
code: '123456',
});
// Tokens are automatically stored via setToken callback
console.log('Logged in:', result.access_token);Response:
{
"access_token": "eyJhbGciOiJIUzI1NiIs...",
"refresh_token": "eyJhbGciOiJIUzI1NiIs...",
"expires_at": 1704067200
}Refresh Token
Refresh an expired access token.
/v1/auth/refresh sdk.auth.refresh(params) Parameters
| Name | Type | Description |
|---|---|---|
refresh_token required | string | Refresh token from previous auth |
const result = await sdk.auth.refresh({
refresh_token: 'eyJhbGciOiJIUzI1NiIs...',
});
console.log('New access token:', result.access_token);Store Authentication
For multi-tenant applications, authenticate users against a specific store.
Request Store Auth Code
/v1/stores/{storeId}/auth/code sdk.auth.storeCode(storeId, params) Parameters
| Name | Type | Description |
|---|---|---|
storeId required | string | Store ID to authenticate against |
email required | string | User email address |
await sdk.auth.storeCode('store_abc123', {
email: '[email protected]',
});
// Profile receives email with codeVerify Store Auth Code
/v1/stores/{storeId}/auth/verify sdk.auth.storeVerify(storeId, params) Parameters
| Name | Type | Description |
|---|---|---|
storeId required | string | Store ID |
email required | string | User email address |
code required | string | Verification code from email |
const result = await sdk.auth.storeVerify('store_abc123', {
email: '[email protected]',
code: '123456',
});
// Tokens are automatically stored
console.log('Profile logged in');Account Management (sdk.account)
Get Current User
Get the authenticated user’s profile.
/v1/accounts/me sdk.account.getMe(params) const user = await sdk.account.getMe({});
console.log('User ID:', user.id);
console.log('Email:', user.email);
console.log('Memberships:', user.memberships);Response:
{
"id": "acc_abc123",
"email": "[email protected]",
"memberships": [
{
"store_id": "store_123",
"role": "Admin",
"joined_at": 1704067200
}
],
"api_tokens": [
{ "id": "tok_1", "name": "CI", "created_at": 1704067200, "expires_at": null }
],
"auth_tokens": [
{
"id": "auth_1",
"created_at": 1704067200,
"last_used_at": 1704070000,
"access_expires_at": 1704070800,
"refresh_expires_at": 1704672000,
"is_verified": true,
"user_agent": "Mozilla/5.0 ..."
}
]
}Update Account
Update the current user’s account. Currently supports managing API tokens.
/v1/accounts sdk.account.updateAccount(params) Parameters
| Name | Type | Description |
|---|---|---|
api_tokens optional | object[] | API tokens to create or update |
const result = await sdk.account.updateAccount({
api_tokens: [
{ name: 'My API Key' }
],
});
// Returns newly created tokens
console.log(result.newlyCreatedTokens);Search Accounts
Search for accounts (admin function).
/v1/accounts/search sdk.account.searchAccounts(params) Parameters
| Name | Type | Description |
|---|---|---|
query optional | string | Search query |
owner optional | string | Filter by owner |
limit optional | number | Items per page |
cursor optional | string | Pagination cursor |
const result = await sdk.account.searchAccounts({
query: 'john',
limit: 20,
});
result.items.forEach(account => {
console.log(account.email, account.id);
});Delete Account
Permanently delete the current user’s account.
/v1/accounts sdk.account.deleteAccount(params) This action is irreversible. All user data will be permanently deleted.
await sdk.account.deleteAccount({});Sessions & API Tokens
Each successful verify / storeVerify call issues a new AuthToken stored on the account. The getMe() response includes:
auth_tokens— active session tokens (access/refresh pairs). Each may carry auser_agentstring recorded when the session was created, so users can identify devices.api_tokens— long-lived API tokens created viaupdateAccount({ api_tokens }), used for server-to-server auth via theAuthorization: Bearerheader.
Use api_tokens for backend integrations (CI/CD, workflows, webhooks). Use the magic-link flow (auth_tokens) for interactive admin sessions.
Complete Auth Flow Example
import { createSdk } from '@arky/sdk';
// Initialize SDK with token management
const sdk = createSdk({
storeId: 'store_abc123',
getToken: async () => {
const stored = localStorage.getItem('arky_tokens');
return stored ? JSON.parse(stored) : null;
},
setToken: async (tokens) => {
if (tokens) {
localStorage.setItem('arky_tokens', JSON.stringify(tokens));
} else {
localStorage.removeItem('arky_tokens');
}
},
});
// Login flow — step 1: request code
async function login(email: string) {
await sdk.auth.storeCode('store_abc123', { email });
// Show code input to user...
}
// Step 2: verify code — tokens are automatically stored via setToken
async function verifyLogin(email: string, code: string) {
await sdk.auth.storeVerify('store_abc123', { email, code });
return await sdk.account.getMe({});
}
// Logout
function logout() {
localStorage.removeItem('arky_tokens');
}