Login Flow


The login process is divided in two separate flows. First, a POST /pwless/login request is sent from the user device to the authentication service.

This request serves both as a starting point for the authentication process and as a way for the client to authenticate the server.

The user’s device sends a request to the authentication service including the user’s email, the public key for this device and a security nonce. This security nonce is signed with the private key of the authentication service and sent back to the users so they can verify the signature and rest assured that they are communicating with the right service. It must be a random string between 48-64 characters.

The authentication service checks that the email corresponds to a valid user, and that the public key corresponds to a device for that user. Then, it gets the login_key for that device (public_key) and sends it back to the user in an OK response (200).

The user’s device then verifies the signature of the security nonce (using the server’s public key), and if validated, proceeds to the Access Token Flow. This completes the first step of the authentication process. Next, in the Access Token Flow, the user’s device gets verified by the authentication service and receives an access token that will allow it to access the resources stored in the resource server.

Request and Response

POST /pwless/login
   “email”: “user@emailserver.com”,
   “key_id”: 382739283,
   “security_nonce”: “q3v70q875v0aw8979s8v7a098s7vd78n2"

Response: 200 OK
   “success”: true,
   “code”: “success”,
   “security_nonce_signed”: “76rv9as87v9s76v978sdnsow873ha”,
   “login_token”: “sd7af6sdhf8a7sdajkdhfsakj3”
Back to Flows

Want to know more? Join our newsletter.

Find us on Facebook

We are also on Twitter

Oh, and on Github too