Skip to main content
Version: 2.0.0-beta

Session Access Token


Following successful user authentication and completion of a session, an internal session is established, and the client receives an access token. The access token is a signed JWT token (ES256) containing a set of claims. This token enables the authenticated user to access specific resources, including:

  • Add another passkey
  • Create a recovery code
  • Retrieve all credentials
  • Delete a given credential
  • Rename a given credential
  • Lock a given credential

A credential typically refers to the information or proof used to verify the identity of an individual or entity. The types of credentials currently offered by LoginID are:

  • Passkey
  • Email

The session access token has a default expiration of 1 hour.

Access Token Claims

"app_uuid": "<app_id>",
"aud": [
"<rpid of the application>"
"exp": <expiry time>,
"iss": "<issuer or base URL>",
"sub": "<username>"

Access Token Verification

If you would like to verify the authenticity of the access token, the public key must be obtained. This can be achieved by making a request to the following endpoint:

curl '{{base_url}}/frontend-api/sessions/key'

"keys": [
"kty": "EC",
"kid": "loginid-key",
"crv": "P-256",
"alg": "ES256",
"x": "UIkn-mmnHCeCkJ9PEo5vpcg-sHHbSAQsUMrM62T3AFY",
"y": "pUVkd3slpof2Loht8V5mjhMQl_5eWNaw9VjXPXKv6kk"

The response will contain a JSON Web Key Set (JWKS) with one or more keys.

Ensure that you follow the appropriate steps in your chosen programming language and JWT library to decode the access token, retrieve the public key, and perform the signature verification. The provided cURL command is a starting point for obtaining the necessary public key.

How to use

It is recommended to use the Client Web SDK, which will handle all the access token session management and make things easier on the front-end. If you prefer using endpoints, please refer to our OpenAPI to identify which endpoints require an access token.