Register flow

Authentication · Register flow

It is important to read the sections Why this shape and Reference example and production readiness on Authentication before relying on this page. They explain why the default BFF-centred pattern exists, how you can extend or replace it, and what the reference implementation does and does not promise for production.

This page covers registration: the customer is created through the auth integration. The BFF does not set logged-in session cookies on this response; the user signs in separately. The body must satisfy RegisterRequestSchema. For logging and cart context, the controller wraps the handler with handleAuthWithCartSetup, same as login, in auth.controller.ts.

Register process

1. CSRF token — Same flow as Login flow.

2. Registration request — Send POST /auth/register with a body that matches the contract, for example:

   • email, password, firstName, lastName
   • acceptTerms — must be true
   • Optional salutation — see allowed values in Config & constants / SALUTATION_OPTIONS in the accelerator
   • Optional dateOfBirth — ISO date or empty string

   Include the CSRF header and matching cookie.

3. CSRF validation — Same as login.

4. Customer creation — AuthService.register delegates to the integration register service.

5. Response — Success does not create a logged-in session; the user should complete Login flow next.

Error handling

• Duplicate email — 409 Conflict.
• Validation errors — 400 Bad Request.
• CSRF mismatch — 403 Forbidden.

Related

• Login flow
• CSRF protection
• Maintain contracts

Back to Authentication · Back to How to work with SHOPin