Skip to main content

LoginID Authorization Token

The approach to user authentication within application integrations uses JWT Stateless Sessions for secure and efficient user session management. LoginID defines this token as a LoginID Token.

JWT Stateless Sessions

LoginID employs JWTs, referred to as LoginID Tokens, signed with an ES256 private key exclusive to LoginID, to create user sessions.This ensures the integrity and authenticity of session data by preventing unauthorized alterations. The choice of ES256 signatures balances strong security with performance efficiency, offering robust cryptographic protection with smaller key sizes compared to RSA.

These JWTs are entirely stateless, meaning no user session information is stored on LoginID servers. Instead, session details are embedded within the JWT claims, enabling scalable and efficient authentication by removing the need to store session states server-side. This stateless approach not only makes it easier to design systems but also enhances performance.

Session JWT Claims

The payload of a JWT contains specific claims that detail the session information:

{
  "aud": "136871ee-1fa5-4975-bc0b-a20752890b80",
  "credID": "8f3ad5cc-73bd-496f-b1de-0dda413c793b",
  "exp": 1723776079,
  "iat": 1723775479,
  "iss": "https://136871ee-1fa5-4975-bc0b-a20752890b80.api.loginid.io",
  "scopes": [
    "passkey:read",
    "passkey:write",
    "auth:write"
  ],
  "sub": "babf9d64-de82-47d0-b1b2-468d56cf486e",
  "tokenType": "jwtAccess",
  "username": "user@loginid.io",
  "verify": "/fido2/v2/mgmt/token/verify"
}

Scopes

Included within the JWT, scopes define the permissions granted to the authenticated user, dictating access to protected LoginID APIs. The token is transmitted as a Bearer token in the Authentication header for API requests. Scopes facilitate the management of access rights to features like Passkey Management.

Authenticated Sessions

Once authenticated with a passkey, a user will be able to perform protected operations using their LoginID token. These include listing, renaming, and deleting their passkeys. The required permissions for these operations are managed through the appropriate scopes included in the token.

note

The LoginID SDKs default to using the LoginID token if no authorization token is provided.

Expiration

JWTs have a default expiration time of 10 minutes, aiming to balance security and user convenience.

info

Future updates from LoginID will introduce options to customize token expiration times via the dashboard option, offering more flexibility to meet diverse application needs.