Skip to main content

Passing Authentication from Third-Party Platforms to a Native App

C
Written by Customer Success
Updated over 3 weeks ago

When creators tap Edit Storefront from the LoudCrowd Creator Hub, your native app needs to seamlessly recognize and authenticate them—without making them log in again. This guide covers the two supported authentication methods for native mobile apps:

  • Method 1: Authenticate creators via LoudCrowd + deep links

  • Method 2: Authenticate directly with the native app, pass to LoudCrowd using HMAC signatures

Both approaches allow creators or customers to securely edit their storefronts inside your mobile experience.

Overview

LoudCrowd supports two patterns for mobile authentication:

  1. Pass LoudCrowd authentication session into your app using Universal / App Links.
     This works when creators authenticate through our web experience, and your app simply needs to pick up the authentication payload.

  2. Use the LoudCrowd Mobile SDK’s customer authentication flow.
     This is ideal when your native app directly manages authentication and communicates with your backend.

Choose the approach that best aligns with how your app authenticates users today.

Method 1: Use LoudCrowd Auth + Deep Links (Recommended for Creators)

How It Works

  1. A creator authenticates in the LoudCrowd Creator Hub.

  2. A creator taps Edit Storefront from the LoudCrowd Creator Hub.

  3. LoudCrowd redirects the creator to a storefront URL on your brand domain.
    Example:
    https://brand.com/pages/storefront?auth_params=...

  4. If your mobile app is installed:

    • iOS Universal Links or Android App Links activate

    • Your app opens directly

    • The full URL (including authentication parameters) is passed into your app

  5. Your app extracts the parameters and authenticates the creator usingLoudCrowd mobile sdk

Prerequisites

iOS Universal Links

  • Set up App Links for the same brand domain

  • Must also include the storefront page URL

Once configured, the storefront page becomes the handoff point for all creator authentication.

Implementation

1. Receive the Deep Link

When the app opens, capture and parse the full URL.

The URL contains authentication parameters needed to identify the creator.

iOS (Swift)

func application(_ application: UIApplication,
                continue userActivity: NSUserActivity,
                restorationHandler: @escaping ([UIUserActivityRestoring]?) -> Void) -> Bool {
    guard userActivity.activityType == NSUserActivityTypeBrowsingWeb,
          let url = userActivity.webpageURL else {
        return false
    }
    
    // url contains storefront link with authentication parameters
    handleLoudCrowdAuthentication(url: url)
    return true
}

Android (Kotlin)

override fun onCreate(savedInstanceState: Bundle?) {
    super.onCreate(savedInstanceState)

    intent?.data?.let { url ->
        // url contains storefront link with authentication parameters
        handleLoudCrowdAuthentication(url)
    }
}

Security Considerations

  • Only process the deep link once—discard it after authentication.

  • Avoid caching or persisting the URL in logs or analytics.

Method 2: Authenticate with the LoudCrowd Mobile SDK (HMAC Flow)

If your app authenticates customers directly (e.g., logged-in mobile users), you can authenticate them to LoudCrowd using an HMAC-signed payload created by your backend.

This method is ideal for eCommerce apps where customers already have a native session.

Authentication Flow

1. Generate an HMAC Signature (Backend)

Your backend creates a signed payload that proves the customer’s identity to LoudCrowd.

Payload structure:

{
  "customer_id": "123",
  "timestamp": 1234567890
}

Steps:

  1. Create JSON payload with:

    • customer_id

    • Current Unix timestamp

  2. Generate an HMAC-SHA256 signature using your shared secret with LoudCrowd.

  3. Return:

    • Raw JSON payload string

    • HMAC signature string

⚠️ Important: Timestamps must be current. Old signatures will be rejected to protect against replay attacks.

2. Authenticate Through the Mobile SDK

Inside your app, send both values to the LoudCrowd SDK:

loudcrowd.authenticateStoreCustomer(data, hmac)

Parameters:

  • data — Raw JSON string exactly as used when generating the signature

  • hmac — HMAC-SHA256 signature generated by your backend

Returns:

A JWT token that allows the customer to edit their storefront.

Time Sensitivity:

Authentication must occur shortly after generating the HMAC. Delays can cause expiration.

3. SDK Validation

The SDK:

  • Verifies the signature

  • Confirms the customer exists

  • Issues a scoped, time-limited JWT token for storefront editing

Customer–Creator Mapping (SFTP Feed)

For Method 2, LoudCrowd needs to align creator accounts with customer records.

This is handled via a simple SFTP feed.

CSV Format

customer_id,email

Example:

customer_id,email

12345,customer@example.com

67890,another@example.com

Delivery Requirements

  • Host: depot.loudcrowd.com

  • Auth: Public/private key (preferred)

  • Frequency: Determined during onboarding

Setup Steps

  1. Contact LoudCrowd Support to enable SFTP

  2. Provide public key or preferred authentication method

  3. Receive connection details

  4. Configure automated delivery

  5. Confirm successful ingestion

Related Articles
Using the Product Picker SDK on Custom Storefront Solutions
Integrate Custom eCommerce Store in the LoudCrowd App
Install the LoudCrowd SDK on your eCommerce Site
Creator Storefront & Affiliate Link Structure
Authentication (OTP) For Creator Tools
Did this answer your question?