orcaqubits/medusa-customers
dist/cursor/medusa-commerce/skills/medusa-customers/SKILL.md
Manage Medusa v2 customers — customer profiles, email and social authentication, customer groups, addresses, and account management. Use when working with customer data and auth.
$ install --global
skillsauthnpx skillsauth add orcaqubits/agentic-commerce-claude-plugins medusa-customersInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 9, 2026, 7:02 AM195.5s1 file scanned
SKILL.md
- name:
- medusa-customers
- description:
- >
Medusa v2 Customer Management
Before writing code
Fetch live docs:
- Web-search
site:docs.medusajs.com customer modulefor customer data model and service methods - Web-search
site:docs.medusajs.com auth modulefor authentication providers and flows - Web-search
site:docs.medusajs.com customer groupfor group management and pricing rules - Fetch
https://docs.medusajs.com/resources/references/customerand review theICustomerModuleServiceinterface - Web-search
medusajs v2 auth provider social login 2026for latest authentication patterns
Customer Data Model
Entity Relationships
| Entity | Relationship | Key Fields | |--------|-------------|------------| | Customer | Root | email, first_name, last_name, phone, has_account, metadata | | Addresses[] | Customer → many | address fields, country_code, is_default_shipping/billing | | CustomerGroups[] | Customer ↔ many | Many-to-many group membership | | Orders[] | Customer → many (link) | Via Order Module link |
Key Fields
| Field | Type | Description |
|-------|------|-------------|
| email | string | Unique identifier for the customer |
| has_account | boolean | true for registered, false for guest |
| first_name / last_name | string | Customer name |
| phone | string | Phone number |
| metadata | JSONB | Custom key-value data |
Authentication Architecture
Medusa v2 separates customer identity from authentication via the Auth Module:
Auth Module
├── AuthIdentity
│ ├── provider_identities[] (emailpass, google, github...)
│ └── app_metadata (linked customer_id)
└── Auth Providers (built-in + custom)
Authentication Flow
Register/Login ──> Auth Module validates ──> JWT token
──> Token includes auth_identity_id ──> Linked to customer_id
Auth Provider Comparison
| Provider | Type | Configuration |
|----------|------|---------------|
| emailpass | Built-in | No external config needed |
| google | OAuth2 | Client ID + secret |
| github | OAuth2 | Client ID + secret |
| Custom | Extensible | Implement AbstractAuthModuleProvider |
Email + Password Flow
| Step | Endpoint | Purpose |
|------|----------|---------|
| Register | /auth/customer/emailpass/register | Create auth identity |
| Login | /auth/customer/emailpass | Authenticate, get token |
| Create customer | /store/customers | Create customer profile (with token) |
Social Login Flow (OAuth2)
| Step | Endpoint | Purpose |
|------|----------|---------|
| Initiate | /auth/customer/{provider} | Get redirect URL |
| Callback | /auth/customer/{provider}/callback | Exchange code for token |
| Create/Link | /store/customers | Create or link customer profile |
Fetch live docs for OAuth2 callback handling, redirect URIs, and token exchange flow.
Customer Groups
| Field | Type | Description |
|-------|------|-------------|
| name | string | Group name (e.g., "VIP", "Wholesale") |
| metadata | JSONB | Custom group data |
| customers | relation | Many-to-many with customers |
Use Cases
| Use Case | Mechanism | |----------|-----------| | Group-specific pricing | Price List rules linked to customer groups | | Conditional promotions | Promotion rules targeting customer groups | | Access control | Custom middleware checking group membership |
Key Service Methods
| Operation | Method |
|-----------|--------|
| Create group | customerModuleService.createCustomerGroups() |
| Add to group | customerModuleService.addCustomerToGroup() |
| Remove from group | customerModuleService.removeCustomerFromGroup() |
| List groups | customerModuleService.listCustomerGroups() |
Address Management
| Field | Required | Notes |
|-------|----------|-------|
| first_name / last_name | Yes | |
| address_1 | Yes | Street address |
| city | Yes | |
| country_code | Yes | ISO 2-letter code |
| postal_code | Conditional | Required by country |
| is_default_shipping / is_default_billing | No | Default flags |
| Workflow | Purpose |
|----------|---------|
| createCustomerAddressesWorkflow | Add new address |
| updateCustomerAddressesWorkflow | Update existing address |
| deleteCustomerAddressesWorkflow | Remove address |
Store API Routes
| Route Pattern | Method | Purpose |
|---------------|--------|---------|
| /store/customers | POST | Create customer profile |
| /store/customers/me | GET | Retrieve authenticated customer |
| /store/customers/me | POST | Update customer profile |
| /store/customers/me/addresses | GET/POST | List/add addresses |
| /store/customers/me/addresses/:id | POST/DELETE | Update/remove address |
All /store/customers/me routes require a valid JWT in the Authorization header.
Admin API Routes
| Route Pattern | Method | Purpose |
|---------------|--------|---------|
| /admin/customers | GET/POST | List/create customers |
| /admin/customers/:id | GET/POST | Retrieve/update customer |
| /admin/customer-groups | GET/POST | Manage groups |
| /admin/customer-groups/:id/customers | POST | Add customers to group |
Fetch live docs for request body shapes and query parameters on each route.
Best Practices
Authentication
- Use the Auth Module for all authentication -- never implement custom auth logic outside it
- Support both
emailpassand at least one OAuth2 provider for user convenience - Store provider-specific data in
provider_identities, not in customer metadata - Always link auth identities to customer profiles via
app_metadata.customer_id
Customer Data
- Use
has_accountto distinguish registered customers from guest checkouts - Store loyalty points, preferences, and custom attributes in
metadata - Use customer groups for segmentation -- avoid duplicating group logic in app code
Address Management
- Validate addresses against country-specific requirements (postal code formats)
- Set
is_default_shippingandis_default_billingto streamline checkout
Security
- Validate JWT tokens on every authenticated request
- Scope Store API customer data to the authenticated customer only
- Never expose customer lists or group memberships via the Store API
Fetch the Medusa v2 customer module and auth module documentation for exact service method signatures, auth provider configuration, and JWT handling before implementing.
Related Skills
orcaqubits/spree-headless-storefront
development
VerifiedTrustedCommunity
Build with Spree's headless Next.js storefront — the official `spree/storefront` repo (Next.js 16 App Router with Server Actions and Turbopack, React 19 Server Components, Tailwind CSS 4, TypeScript 5, `@spree/sdk`, Sentry), server-only auth (httpOnly JWT cookies + publishable key), MeiliSearch faceted catalog, one-page checkout with Apple/Google Pay/Klarna/Affirm/SEPA, multi-region market routing, GA4 + JSON-LD SEO, and Vercel/Docker deployment. Use when forking or customizing the storefront, or evaluating headless adoption.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-extensions
tools
VerifiedTrustedCommunity
Build Spree extensions as Rails engines — gem scaffolding, `bin/rails g spree:extension`, mounting routes/migrations/assets, the modern `prepend` decorator pattern (`*_decorator.rb` with `self.prepended(base)`), generators (`spree:model_decorator`, `spree:controller_decorator`), the four customization surfaces in preference order (Events > Webhooks > Dependencies > Decorators), Spree::Dependencies for swapping service objects, gem release/versioning, and the deprecated Deface engine. Use when building a reusable Spree extension or adding non-trivial customization to an app.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-events-webhooks
development
VerifiedTrustedCommunity
Build with Spree's event bus and Webhooks 2.0 — `Spree::Events` publication, `Spree::Subscriber` DSL with `subscribes_to` and `on`, wildcard matching, lifecycle events (`{model}.created/.updated/.deleted` via `publishes_lifecycle_events`), the canonical event catalog (order.*, payment.*, shipment.*, product.*), Webhooks 2.0 endpoints, HMAC-SHA256 signing (`X-Spree-Webhook-Signature`), exponential-backoff retries, and Sidekiq job orchestration. Use when wiring event-driven business logic, building webhook consumers, or replacing ActiveSupport callback chains.
27SKILL.mdUpdated May 14, 2026
orcaqubits/spree-dev-patterns
tools
VerifiedTrustedCommunity
Cross-cutting Spree development patterns — the customization preference hierarchy (Events > Webhooks > Dependencies > Decorators), `Spree::Dependencies` service-object swapping, the `_decorator.rb` + `prepend` + `self.prepended` idiom, idempotent subscribers and webhook receivers, multi-store scoping discipline, prefixed IDs, calculator polymorphism (shipping/promotion/tax share the base), service-object composition with `dry-monads` or simple results, why to avoid `class_eval` reopening and Deface, and Spree-on-Rails idioms (Hotwire/Turbo Stimulus, ActiveStorage, Action Cable, Sidekiq). Use when designing the architecture of a Spree extension or solving cross-cutting concerns.
27SKILL.mdUpdated May 14, 2026