interface AuthOptions {
  disableAuth?: boolean;
  tokenMethod?: 'cookie' | 'bearer';
  sessionSecret?: string;
  cookieOptions?: CookieOptions;
  authTokenHeaderKey?: string;
  sessionDuration?: string | number;
  sessionCacheStrategy?: SessionCacheStrategy;
  sessionCacheTTL?: number;
  requireVerification?: boolean;
  verificationTokenDuration?: string | number;
  superadminCredentials?: SuperadminCredentials;
  shopAuthenticationStrategy?: AuthenticationStrategy[];
  adminAuthenticationStrategy?: AuthenticationStrategy[];
  customPermissions?: PermissionDefinition[];
}

Disable authentication & permissions checks. NEVER set the to true in production. It exists only to aid certain development tasks.

Sets the method by which the session token is delivered and read.

• ‘cookie’: Upon login, a ‘Set-Cookie’ header will be returned to the client, setting a cookie containing the session token. A browser-based client (making requests with credentials) should automatically send the session cookie with each request.
• ‘bearer’: Upon login, the token is returned in the response and should be then stored by the client app. Each request should include the header Authorization: Bearer <token>.

Note that if the bearer method is used, Vendure will automatically expose the configured authTokenHeaderKey in the server’s CORS configuration (adding Access-Control-Expose-Headers: vendure-auth-token by default).

Deprecated use cookieConfig.secret instead.

The secret used for signing the session cookies for authenticated users. Only applies when tokenMethod is set to ‘cookie’.

In production applications, this should not be stored as a string in source control for security reasons, but may be loaded from an external file not under source control, or from an environment variable, for example.

Options related to the handling of cookies when using the ‘cookie’ tokenMethod.

Sets the header property which will be used to send the auth token when using the ‘bearer’ method.

Session duration, i.e. the time which must elapse from the last authenticated request after which the user must re-authenticate.

Expressed as a string describing a time span per zeit/ms. Eg: 60, '2 days', '10h', '7d'

This strategy defines how sessions will be cached. By default, sessions are cached using a simple in-memory caching strategy which is suitable for development and low-traffic, single-instance deployments.

The “time to live” of a given item in the session cache. This determines the length of time (in seconds) that a cache entry is kept before being considered “stale” and being replaced with fresh data taken from the database.

Determines whether new User accounts require verification of their email address.

If set to “true”, when registering via the registerCustomerAccount mutation, one should not set the password property - doing so will result in an error. Instead, the password is set at a later stage (once the email with the verification token has been opened) via the verifyCustomerAccount mutation.

Sets the length of time that a verification token is valid for, after which the verification token must be refreshed.

Expressed as a string describing a time span per zeit/ms. Eg: 60, '2 days', '10h', '7d'

Configures the credentials to be used to create a superadmin

Configures one or more AuthenticationStrategies which defines how authentication is handled in the Shop API.

Configures one or more AuthenticationStrategy which defines how authentication is handled in the Admin API.

Allows custom Permissions to be defined, which can be used to restrict access to custom GraphQL resolvers defined in plugins.