Skip to main content

Generating and Using Authorization Tokens

Authorization tokens are currently used for the following scenarios:

  • Creating passkey over authorized sessions
  • Managing passkeys (listing, renaming, and deleting passkeys)
info

Authorization tokens have a very short lifespan of a few seconds, ensuring high security.

Overview Steps

  1. Create an API Key in the LoginID dashboard.
  2. Request an authorization token via the LoginID Grant Endpoint on your backend.
  3. Use the authorization tokens.

Create Application API Key on LoginID Dashboard

First, create an API key in the LoginID developer dashboard. This key defines the permissions (scopes) for your server when interacting with LoginID APIs. In your application's Settings tab, click Add New Key to generate it.

Store your API key as a secret.

Organization Invite

API Key Scopes

When creating an API key, you assign scopes that define the permissions available for authorization tokens. Scopes ensure your backend only performs the actions you explicitly allow.

ScopeUsageDocs / Reference
passkey:readList a user’s passkeys and retrieve AAGUID metadata.Passkey Management

AAGUID Metadata API
passkey:writeRename and delete user passkeys.Passkey Management
profile:readRetrieve users or groups via the SCIM API.SCIM Overview
profile:writeCreate, update, or delete user profiles via the Profile API.

Manage users/groups with SCIM API.		Profile API

SCIM Overview
reg:writeCreate secondary passkeys (any additional passkey after the first for a given user requires this scope).Passkey Creation
auth:writeAllow authorized users to request an OTP (used in cross-authentication flows).Cross-Auth
user:readUse the Management Discover API.Mgmt API
user:writeReserved (no operations tied yet).
external:verifyComplete external/third-party authentication flows (e.g., after a bank login in checkout).Checkout Flow

MFA Flow

Registration Requires Authentication Token

If you plan to authorize passkey creation over authorized sessions, enable the Registration Requires Authentication Token security lock on the dashboard.

Basic Application

Request Authorization Token With Grant Endpoint

Use the API Key in a request to the Management grant API on your backend. You need to send this request with a Basic Authentication header.

The returning data will have the authorization token and can now be sent to the client side SDKs.

const LOGINID_BASE_URL = process.env.LOGINID_BASE_URL;
const LOGINID_API_KEY = process.env.LOGINID_API_KEY;

export const requestLoginIDAuthorizationToken = async (username: string) => {
  const basicToken = Buffer.from(`${LOGINID_API_KEY}:`).toString("base64");
  const res = await fetch(`${LOGINID_BASE_URL}/fido2/v2/mgmt/grant`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: `Basic ${basicToken}`,
    },
    body: JSON.stringify({
      grants: ["passkey:write", "passkey:read"],
      username: username,
    }),
  });

  const data = await res.json();

  if (!res.ok) {
    throw new Error(data.message || data.msg);
  }

  return data.token;
};

Request Authorization Token With External Authentication

If your backend has already authenticated the user through an external system, you can request an authorization token using the External Auth Grant Endpoint. This flow also uses Basic Authentication with your API key.

const LOGINID_BASE_URL = process.env.LOGINID_BASE_URL;
const LOGINID_API_KEY = process.env.LOGINID_API_KEY;

export const requestExternalAuthToken = async (username: string) => {
  const basicToken = Buffer.from(`${LOGINID_API_KEY}:`).toString("base64");
  const res = await fetch(`${LOGINID_BASE_URL}/fido2/v2/mgmt/grant/external-auth`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: `Basic ${basicToken}`,
    },
    body: JSON.stringify({ username }),
  });

  const data = await res.json();

  if (!res.ok) {
    throw new Error(data.message || data.msg);
  }

  return data.token;
};