ForjioHuudisIdentityPlugipayPaymentsStorlaunchE-commerceFulkrumaFulfillmentRiplloMarketingSerrontThis product
Serront Docs
⌘K

Client portal

Repeat buyers shouldn't have to dig through email for order links. Every published storefront gets a client portal at:

https://serront.com/s/<your-slug>/account

Buyers sign in with their email — no passwords, no account creation, no Huudis — and see every order they've placed with you.

How sign-in works (email OTP)

  1. The buyer opens /s/<slug>/account/sign-in and enters the email they ordered with.
  2. Serront emails a 6-digit code (valid 10 minutes).
  3. They type the code, and they're in for 30 days (an HttpOnly session cookie, scoped to your storefront).

Guardrails, so the codes stay safe:

  • Max 3 codes per minute per email (429 RATE_LIMITED beyond).
  • Max 5 wrong attempts per code — then it's burned and a fresh one must be requested.
  • The code travels only in the email body — it's never echoed by the API.

What buyers see

  • Orders (/s/<slug>/account) — every order with you, newest activity first, with status and payment badges. Each row links to the order's existing page (/o/<token>) — the thread, payment instructions, and proof upload all live there, same as the email link.
  • Profile (/s/<slug>/account/profile) — their name and phone, editable.
  • Sign out.

Orders are matched by email: anything the buyer ordered with that address — before or after they first signed in — shows up.

Honestly

  • The portal is scoped per storefront. A buyer with orders at two different Serront sellers signs in to each portal separately — there is no cross-seller buyer account.
  • Signing in doesn't replace the order links: /o/<token> keeps working for everyone, signed in or not. The portal is the index, not the gate.
  • It's on every plan, including Free, and there's nothing to configure — publishing your storefront is enough.

For developers

The portal rides a small public API (used by the portal pages; all requests carry the storefront slug, and the session is a cookie — not an API-key surface):

Method + path Does
POST /api/v1/client-auth/request-otp {storefrontSlug, email} → code emailed
POST /api/v1/client-auth/verify-otp {storefrontSlug, email, code} → session cookie
GET /api/v1/client-auth/me?storefrontSlug= Session check (never 401s)
PATCH /api/v1/client-auth/me Update name/phone
POST /api/v1/client-auth/signout Revoke the session
GET /api/v1/client/orders The signed-in buyer's orders (incl. each order's access token)
GET /api/v1/client/profile The buyer's record + order count

See also