PasswordLessAuth Flows



PasswordLessAuth establish a secure communication protocol to authenticate users of an application or service.

The protocol is based on asymmetric encryption. The main actors are the service -usually a backend- containing the application's data, the users and the devices used by the users to access the application.

The service or backend has a pair of public/private keys. Its public key should be available to all devices and, ideally, embedded in the application or easily retrievable from the internet.

Each user owns one or more devices. Each device has a pair of private/public keys. As part of the registration process with the service or backend, the device sends its public key, alongside some data, to the backend or service.

The PasswordLessAuth protocol is composed by a series of well-defined flows that allow a device to communicate with the backend for authentication and device/key management purposes.

Everything starts with the Signup Flow, that creates the account for the user and registers the initial device and key pair. Then, login is performed by means of a sequence of the Login Flow and the Access Token Flow. The latter also serves to refresh the access token once it has expired by means of an already retrieved login key from the authentication service.

The Add Device Flow allows the user to register a different device, with a new key pair, and associate it to the user account. Conversely, the Revoke Device Flow allows the user to revoke a device when it's no longer being used or its keys have been compromised.

Finally, the PasswordLessAuth Information Flow has been designed to get information from the authentication service in order for the clients to know how to interact with it. The User Information Flow offers information about an authenticated user.

Technical Specifications (v0.1)

PasswordLessAuth Flows


This flow creates the user account and registers the initial device and key pair. It's the beginning of all PasswordLessAuth flows. Read More


Initiates the login flow. In this initial phase, the device sends a nonce. The authentication service signs it and returns it alongside a login token. Read More

Access Token

This flow completes the login process. The device signs the login key and sends it back to the authentication service, that returns an access token. Read More

Add Device and Key Pair

This flow allows the users to register a new device and keys in their accounts of certain application where they have previously registered. Read More

Revoke Device and Key Pair

This flow allows the users to revoke a device and associated keys, probably because they have been compromised or are no longer valid. Read More

PwLessAuth Information

This flow returns information about the PasswordLessAuth configuration on your app, so the clients can adapt their requests and keys. Read More

Access Token Refresh

This flow allows a user to refresh an expired access token by directly signing the next login token. It's essentially equal to the Access Token Flow. Read More

User Information

The only flow from the PasswordLessAuth specification that requires authentication. Returns the collected information about the user. Read More

Want to know more? Join our newsletter.

Find us on Facebook

We are also on Twitter

Oh, and on Github too