Customer Authentication

When a customer is logged in, the LoyaltyLion SDK needs to authenticate them to display their information (points, rewards) and allow them to perform actions like earning points and claiming rewards.

Customer authentication is performed automatically on Shopify, BigCommerce and Magento.

Authentication in LoyaltyLion leverages your existing customer accounts so a customer doesn’t need to sign in twice or have a separate account with LoyaltyLion.

It works by generating a secure server-side Message Authentication Token (MAC) which is passed through to LoyaltyLion on the next page load. LoyaltyLion verifies the auth token and if it checks out, considers the customer authenticated.

Creating the auth token

The auth token is a SHA-1 hash of the following concatenated items, in order:

  • the customer’s unique id
  • the current date, as an ISO 8601 timestamp
  • the customer’s email address
  • your LoyaltyLion secret

This auth token must be generated server-side, that is, in your template. Your LoyaltyLion secret should never be exposed. The generated token can then be sent to the client and used in a call to loyaltylion.init or loyaltylion.authenticateCustomer to authenticate the customer.

Auth token creation example

date =
secret = 'YOUR_SECRET'

auth_token = Digest::SHA1.hexdigest( + date + + secret

Authentication after initialization

The best way to authenticate the customer is by passing the customer and auth data to the loyaltylion.init call. This ensures the customer is authenticated as soon as the LoyaltyLion SDK is ready.

If you need to authenticate the customer later, for example if they’re able to log in without a full page reload, or authentication happens after the page load, you can use the loyaltylion.authenticateCustomer method.

This method accepts the same customer and auth properties as loyaltylion.init. It needs a server-side generated auth token.

Customer authentication example

  customer: {
    id: '1001', // unique customer ID
    email: '', // customer email address
  auth: {
    date: '2018-01-01T10:00:00Z', // date in ISO8601 format
    token: 'AUTH_TOKEN', // token, generated server-side