Generating and Using Authorization Tokens
Authorization tokens are currently used for the following scenarios:
- Creating passkey over authorized sessions
- Managing passkeys (listing, renaming, and deleting passkeys)
Authorization tokens have a very short lifespan of a few seconds, ensuring high security.
Overview Steps
- Create an API Key in the LoginID dashboard.
- Request an authorization token via the LoginID Grant Endpoint on your backend.
- Use the authorization tokens.
Create Application API Key on LoginID Dashboard
First, create an API key in the LoginID developer dashboard. This key defines the permissions (scopes) for your server when interacting with LoginID APIs. In your application's Settings tab, click Add New Key to generate it.
Store your API key as a secret.
Registration Requires Authentication Token
If you plan to authorize passkey creation over authorized sessions, enable the Registration Requires Authentication Token security lock on the dashboard.
Request Authorization Token With Grant Endpoint
Use the API Key
in a request to the Management grant API on your backend. You need to send this request with a Basic Authentication
header.
The returning data will have the authorization token and can now be sent to the client side SDKs.
- Curl
- Nodejs
curl -X POST "{APP_BASE_URL}/fido2/v2/mgmt/grant" \
-H "Content-Type: application/json" \
-u $APP_API_KEY: # Will set authorization header to basic.
-d '{
"grants": ["<SCOPE>", "<SCOPE>"],
"username": "<USERNAME>"
}'
- Replace
{APP_BASE_URL}
with your application's base URL. - Replace
<API_KEY>
with your actual API key. - Replace
<SCOPE>
with the appropriate scope(s) required for your token. - Replace
<USERNAME>
with the username associated with the API request.
const LOGINID_BASE_URL = process.env.LOGINID_BASE_URL;
const LOGINID_API_KEY_ID = process.env.LOGINID_API_KEY_ID;
export const requestLoginIDAuthorizationToken = async (username: string) => {
const basicToken = Buffer.from(`${LOGINID_API_KEY_ID}:`).toString("base64");
const res = await fetch(`${LOGINID_BASE_URL}/fido2/v2/mgmt/grant`, {
method: "POST",
headers: {
"Content-Type": "application/json",
Authorization: `Basic ${basicToken}`,
},
body: JSON.stringify({
grants: ["passkey:write", "passkey:read"],
username: username,
}),
});
const data = await res.json();
if (!res.ok) {
throw new Error(data.message || data.msg);
}
return data.token;
};
Use Authorization Tokens
Common scenarios where authorization tokens are required include: