search

Cotter's OAuth 2.0 Tokens Specification

Allowing Cotter handling your full authentication is the fastest way to get your whole authentication suite setup. Cotter can generate an access token, id token, and refresh tokens for you.

hashtag
Handling Authentication

After successful authentication, Cotter returns ID, access, and refresh tokens as defined by the OpenID Connect (OIDC) open standard:

  • The ID Tokenarrow-up-right contains information about the authenticated user such as email , phone number , client_user_id (the user's id in your server), and auth_time (last authenticated time).

  • The Access Tokenarrow-up-right contains scopes and the authentication method used to authenticate the user: OTP, TRUSTED DEVICE , PIN or BIOMETRIC .

  • The Refresh Tokenarrow-up-right contains the information necessary to obtain a new ID and access token.

circle-exclamation

πŸ”’It is important to secure all tokens in transit and storage.

hashtag
Client Libraries

Currently, we have the following libraries available to handle Cotter's OAuth Tokens:

hashtag
Cotter's Access Token

Cotter's Access token is a JSON Web Tokens (JWTs)arrow-up-right that is used to tell your backend API that the user has been authorized to call the API and perform some action (defined in the scopes attribute of the token).

Access tokens expires every 1 hour. Check the guide on renewing access and id tokens.

Token example:

hashtag
How to use the Access Token to allow API calls

1. On every API call to your server, attach the access token as a header

2. In your server, using a middleware, check if the access token is valid

Verifying JWT Tokenschevron-right

3. If the access token is valid, allow the API call to proceed.

hashtag
Cotter's ID Token

Cotter's ID token is a JSON Web Tokens (JWTs)arrow-up-right that is used to provide information about the user. ID tokens expires every 1 hour. Check the guide on renewing access and id tokens.

circle-info

You should not trust this information after it's expired

hashtag
Cotter's Refresh Token

Cotter's Refresh Token is an opaque token (i.e. a random string) that is used to generate a new access token and id token when they're expired. Refresh tokens expires every 30 days. You need to re-authenticate the user to get a new refresh token. Check the guide on renewing access and id tokens.

hashtag
πŸ₯³ Getting Started

hashtag
1. Getting The Tokens using the SDK

Easily get tokens using the SDK by adding a simple paramater, ex. getOAuthToken = true

Getting the Tokenschevron-right

hashtag
2. Storing & Removing the Token

The SDK generally automatically store tokens securely for you, and provides a function to easily remove the tokens to logout your users.

Storing and Removing Tokenschevron-right

hashtag
3. Renewing Expired Tokens

The SDK generally automatically renews expired access_token and id_token whenever a valid refresh_token exists.

Renewing Expired Tokenschevron-right

hashtag
4. Verifying the Tokens

You need to verify the JWT tokens in your backend server. Fortunately, there are a lot of good libraries that do this.

Verifying JWT Tokenschevron-right

hashtag
5. Adding Custom Claims to your JWT Token

If you have additional metadata from your backend server that you'd like to add to the JWT token (for example, the user's role or name, you can call Cotter's API to add the claims to Cotter's JWT token

Requesting Custom Claims on your Access Tokenchevron-right

hashtag
πŸŽ‰ You're done!

PreviousEnable reCAPTCHA to Protect Against Automated AbuseNextGetting the Tokens

Last updated