Building Agents
Customer Authentication

Customer Authentication

Customer authentication lets your agent verify the identity of end-users mid-conversation. This is different from access control (who can manage your agent in the dashboard) — customer auth identifies the people chatting with your agent so it can personalize responses, look up orders, or gate sensitive information.

How it works

There are two ways to trigger authentication:

  1. Login node in the Journey Builder — Add a Login node to your flow. When the conversation reaches this node, the user sees a login screen before proceeding. Use this when a specific path always requires auth (e.g., before showing order status).

  2. AI request_login tool — The AI can decide on its own that it needs the user's identity. When a user asks something like "What's my order status?", the AI invokes request_login as a built-in tool. The conversation engine renders the login UI automatically. No flow configuration needed.

Email OTP flow

Email OTP is the default authentication method:

  1. User encounters a login prompt (via Login node or AI tool)
  2. User enters their email address
  3. Zimmer sends a 6-digit verification code via email
  4. User enters the code
  5. On success, a session cookie is set and the conversation continues with the user's identity attached

The OTP code expires after a short window. Users can request a new code if needed.

Session cookies and returning users

After a successful login, a session cookie is stored in the user's browser. On their next visit, the agent recognizes them automatically — no need to log in again.

Session duration is configurable (default: 24 hours). After the session expires, the user will be prompted to re-authenticate when identity is needed.

Configuring Customer Auth

Go to your agent's Settings tab and select the Customer Auth section:

  • Enable/disable customer auth for this agent
  • Email OTP — Enabled by default. Uses Resend for email delivery.
  • Phone OTP — Optional. Requires SMS provider credentials.
  • Google OAuth — Optional. Requires OAuth client ID and secret.
  • Login title and subtitle — Customize the text shown on the login screen (e.g., "Sign in to continue", "We'll send you a quick verification code")
  • Session duration — How long (in hours) before a returning user must re-authenticate

Auto-fetch after login

Once a user authenticates, the agent can automatically fetch their data from connected integrations. For example, after login the agent could pull the user's recent orders from Shopify or their contact record from HubSpot — making that data available to the AI without the user having to provide it manually.

Configure auto-fetch rules in the Customer Auth settings.

Using the Login node

In the Journey Builder, add a Login node where you want to gate the conversation:

  1. Drag a Login node onto the canvas
  2. Configure the login title, subtitle, and allowed methods (email OTP, phone OTP, Google OAuth)
  3. Connect it between the nodes where auth should happen
  4. The conversation pauses at this node until the user authenticates, then continues to the next node

AI-driven authentication

If customer auth is enabled on the agent, the AI automatically has access to the request_login tool. You do not need to configure anything in the journey — the AI decides when identity is needed based on the conversation context.

When the AI invokes request_login:

  1. The chat UI shows the login form
  2. The user completes authentication
  3. The AI receives the user's identity and continues the conversation with personalized context
Action AgentsTemplate Studio