Access Token Flow


This flow is the second step in the login process, and used to refresh the access token afterwards. In the first login step, the authentication service delivered a login_key to the user’s device. In this step, the user’s device will sign this key with its private key, so the server can verify its identity.

The user’s device sends a POST /pwless/access request to the authentication service with the email, the signed login_key obtained from the server in the previous step (or the next login token obtained as the result of this flow, see below), and the signature for this login key. In strict mode, the biometrics sensor is used to sign the login key.

The server locates the corresponding public key for that user’s device and checks that the signature for the login_key is correct. Then, we have completely authenticated the user’s device.

The authentication service delivers an OK response (200) back to the user’s device including an access token for accessing the data contained in the resource server and the new login token that, that will allow the user’s device to re-send a new access token.

Regardless of whether the authentication succeeded or not, the authentication service generates a new login_key for this device/key. If the authentication succeeds, this next login token is sent back to the user, so the device can use this same flow with the “next login token” to refresh the access token, thus being able to keep the session alive once the access token has expired (see Access Token Refresh Flow).

Request and Response

POST /pwless/access
   “email”: “”,
   “key_id”: 382739283,
   “login_token_signed”: “a978s87dnacfs78nh8asvn37dn0v7”   

Response: 200 OK
   “success”: true,
   “code”: “success”,
   “user”: { “id”: 23482732, “email”: “” },
   “key”: { “id”: 382739283, “key_type”: “ec”, “key_length”: 256, ... },
   “auth”: {
      “access_token”: “2372c39rndf7sbvldkfhbva83v938”,
      “expires”: “2016-04-21T11:35:21.000Z”,
      “next_login_token”: “7fvy4n98avawd0a7a0w38v0a9w83uv”
Back to Flows

Want to know more? Join our newsletter.

Find us on Facebook

We are also on Twitter

Oh, and on Github too