docs: fix callback validation for third-party authentication

[shahednasser]

Summary

What — What changes are introduced in this PR?

Fix third-party authentication snippets to use the email retrieved from the third-party provider when creating the user.

Closes DX-2191

Why — Why are these changes relevant or necessary?

Please provide answer here

How — How have these changes been implemented?

Please provide answer here

Testing — How have these changes been tested, or how can the reviewer test the feature?

Please provide answer here

---

Examples

Provide examples or code snippets that demonstrate how this feature works, or how it can be used in practice.
This helps with documentation and ensures maintainers can quickly understand and verify the change.

// Example usage

---

Checklist

Please ensure the following before requesting a review:

• I have added a changeset for this PR
  • Every non-breaking change should be marked as a patch
  • To add a changeset, run yarn changeset and follow the prompts
• The changes are covered by relevant tests
• I have verified the code works as intended locally
• I have linked the related issue(s) if applicable

---

Additional Context

Add any additional context, related issues, or references that might help the reviewer understand this PR.

---

Note

Updates admin/store callback examples and docs to decode JWT, conditionally create the user/customer using email from user_metadata, then refresh the token; mirrors changes in OpenAPI samples and storefront guide.

• API Reference Code Samples:
  • Update auth_*_{auth_provider}_callback examples (JS/TS) for admin and store to:
    • Capture callback token, decodeToken, check actor_id === "".
    • Create user/customer using decodedToken.user_metadata.email.
    • Refresh auth via sdk.auth.refresh().
    • Adjust TS sample provider label to GitHub where applicable.
• OpenAPI Examples (openapi.full.yaml, generated oas-output):
  • Align embedded code samples with the new decode/create/refresh flow for admin and store callbacks.
• Docs:
  • Authentication route: add decoded token example and clarify when to create user and refresh token.
  • Storefront third-party login guide: streamline callback validation section to decode token, create customer with decoded email, refresh token, and retrieve customer; update highlights and examples.

^{Written by Cursor Bugbot for commit 262c39e. This will update automatically on new commits. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 262c39e

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
api-reference-v2	Ready	Preview	Comment	Nov 24, 2025 7:54am

7 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
api-reference	Ignored			Nov 24, 2025 7:54am
cloud-docs	Ignored	Preview		Nov 24, 2025 7:54am
docs-ui	Ignored	Preview		Nov 24, 2025 7:54am
docs-v2	Ignored	Preview		Nov 24, 2025 7:54am
medusa-docs	Ignored	Preview		Nov 24, 2025 7:54am
resources-docs	Ignored	Preview		Nov 24, 2025 7:54am
user-guide	Ignored	Preview		Nov 24, 2025 7:54am

[cursor]

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on December 17

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.