Skip to content
C
Cartly
Platform launch: May 1, 2026
Try all features now — create your store for free
Back to Blog
Cartly v1.6: Customer Portal Extensibility B2B, Passwordless Login & Enterprise SSO
Cartly Team

Cartly v1.6: Customer Portal Extensibility B2B, Passwordless Login & Enterprise SSO

releasev1.6b2bssopasswordlessrmacustomer-portal

Cartly v1.6 ships six phases of Customer Portal Extensibility — from self-serve returns and passwordless login all the way to B2B company hierarchies and enterprise SSO. Here's what's new.

Phase 1 Self-Serve Returns (RMA)

Customers can now request returns directly from their order detail page. They select which items to return, the quantity, and the reason. You review and approve or reject each request from Admin → Orders → Returns. On approval, a refund is triggered automatically and the customer is notified by email. The entire flow is powered by a Temporal workflow so no request is ever lost, even under infrastructure failures.

Phase 2 Passwordless Login

Your login page now has three paths: password, OTP, and magic link. Customers can request a 6-digit code to their email or phone (SMS via Twilio or AWS SNS), or get a signed magic link that logs them in with one click. Codes expire in 10 minutes; magic links in 15. All three methods share the same login UI — a clean tab switcher that shows only what's relevant.

Phase 3 Headless Customer API

The Storefront API (/storefront/v1/customer/*) now covers everything a headless frontend needs: read and update profile, manage saved addresses, read and manage the wishlist, list orders and returns, and issue App Session Tokens for delegated access by embedded apps. All endpoints authenticate with a Customer Access Token (CAT) issued after login.

Phase 4 Portal Extension Points

Apps can now inject UI into six slots in the customer portal: account dashboard header, account dashboard footer, order detail sidebar, return request detail, B2B company overview, and a global account sidebar. Extensions register a Liquid snippet, an iframe URL, or a remote component URL. Merchants control which extensions are active per slot from the admin panel.

Phase 5 B2B Company Hierarchy

Create company accounts with multiple locations (offices, warehouses, cost centers). Invite buyers and assign roles — Admin, Buyer, or Viewer. Set a monthly, quarterly, or yearly budget per location; Cartly resets it automatically on schedule via a Temporal workflow. Buyers see their budget balance in the portal and are blocked from placing orders that would exceed it. Full CRUD is available via /admin/companies/* and the customer-facing endpoints at /customer/company.

Phase 6 Enterprise SSO (OIDC)

Connect any OIDC-compatible identity provider to a company account — Google Workspace, Azure AD, Okta, or your own IdP. Configure the issuer URL and credentials once from the company's SSO tab. When a buyer logs in via SSO, Cartly validates the ID token, looks up the company by slug, and automatically creates or updates the membership. Client secrets are encrypted at rest.

Security

This release includes 50+ security and correctness fixes across the platform: SSRF protection on webhook URLs, CAT never exposed in URL parameters (magic link uses a short-lived auth code instead), client secrets encrypted in the database, full input validation on all B2B endpoints, and cross-tenant isolation verified by Playwright E2E tests.

Developer Resources

Full API reference and integration guides are available in the Developer Portal. Help Center articles cover B2B account setup and accepting customer returns.