Passwordless Authentication for Medusa v2
Magic link authentication that just works. No passwords to remember, no credentials to steal. We built a complete passwordless login system for Medusa that's secure, scalable, and ready for production.
Anas MahmudPasswords Are the Problem
Every e-commerce site deals with the same authentication headaches.
Customers forget passwords, reuse them across sites, and choose weak ones that get compromised. Password reset flows create friction. Support tickets pile up.
That's why we built the Passwordless Plugin for Medusa — a magic link authentication system that eliminates passwords entirely while keeping your store secure.
What It Does
The plugin adds complete passwordless authentication to your Medusa store:
Magic Link APIA simple endpoint that generates secure, one-time login links. Customer enters their email, receives a link, clicks it, and they're in. No password required.
Redis Token Storage
Tokens are stored in Redis with automatic expiry. This means your authentication works across multiple server instances and survives restarts. For local development, it falls back to in-memory storage automatically.
Rate LimitingBuilt-in protection against email spam and brute force attacks. Configurable limits per email address with proper 429 responses and retry headers.
Auto Customer Creation
First-time visitors get an account created automatically when they click their magic link. Existing customers are recognised and logged straight in.
Cart ContinuityGuest cart transfers seamlessly to the authenticated session. No lost items, no frustration.
Professional Email TemplatesBeautiful, branded emails built with React Email that look great in any email client.
How We Built It
The plugin follows Medusa's patterns:
- API Routes — Store endpoints for requesting and validating magic links- Auth Integration — Proper auth identities that work with Medusa's existing customer system- Notification Module — Email delivery via Resend with React Email templates- Redis Storage — Production-ready token storage with TTL expiry
No passwords stored. No credentials to leak. Your customers authenticate with just their email.
Security First
256-bit Tokens — Cryptographically random, practically unguessableOne-time Use — Tokens are deleted immediately after validationConfigurable Expiry — Default 15 minutes, adjust via environment variableRate Limiting — Prevents email spam and brute force attemptsNo Email Enumeration — Always returns success message regardless of whether account exists.
Getting Started
Installation is straightforward:
Add the API routes to your Medusa backendConfigure your environment variablesSet up the callback page in your storefront
Environment configuration:
STOREFRONT_URL=https://yourstore.comMAGIC_LINK_EXPIRY_MINUTES=15RATE_LIMIT_MAGIC_LINK_PER_EMAIL=3REDIS_URL=redis://localhost:6379
The storefront integration uses server actions to keep your backend URL secure.
What's Next
We're actively developing more features:
- WebAuthn/Passkey integration- SMS fallback for magic links- Account linking for multiple auth methods- Resend button with cooldown timer
Open Source
This plugin is part of our commitment to the Medusa ecosystem. Check out the code and documentation: on git repo.
We'll continue improving it based on community feedback. If you're building on Medusa and want passwordless auth, reach out — we'd love to help you get set up.
