# Authenticate customer

The /api/authenticatecustomer/ endpoint checks if a given customer id/email + password combination is valid, and return the id of the corresponding customer.

Since the Iteras server doesn't know the origin of the parameters provided, there is no intrinsic rate limit. Hence, if you connect an internet-facing application to this endpoint, you should put in a rate limit to prevent hacking by exhaustive search.

# Parameters

The endpoint uses POST and supports the following POST parameters - you must provide the password and either id or email:

• "id" - customer ID, e.g. id=12345

• "email" - customer email, e.g. email=somebody@example.com

• "password" - customer password, e.g. secret

• "preauthseconds" - request a pre-authentication token valid for given seconds, e.g. 3600

# Return value

The data returned is an object with authenticated: true and the ID of the customer like this:

{
  "authenticated": true,
  "id": "12345"
}

Or if authentication fails:

{
  "authenticated": false,
  "errorcode": "unknowncustomer"
}

or

{
  "authenticated": false,
  "errorcode": "invalidpassword"
}

# Pre-authentication token

If you specify preauthseconds, you'll get back a pre-auth token in the reply in case the user is authenticated, e.g.:

{
  "authenticated": true,
  "id": "12345",
  "preauth": "Azxd123:JOIj123:JOjOIJASDF"
}

This token is only valid for the number of seconds you specified. When the pre-auth token is given to the iframe-generating JS API it causes the customer to be logged in automatically without being presented with a login screen:

Iteras.selfserviceiframe({ profile: "myprofile", preauth: "Azxd123:JOIj123:JOjOIJASDF" })

This is sometimes a useful building-block for a single-sign-on site.