Get Tokens during Authentication

PreviousGetting the Tokens NextUsing the Refresh Token

Last updated 4 years ago

Get Tokens during Authentication

When a user logs in to your application using the Sign in with Email/Phone or the Sign in with Device method, Cotter will return OAuth tokens in the form of JWT Tokens.

For Sign in with Email/Phone: The authentication_method = OTP
For Sign in with Device: The authentication_method = TRUSTED_DEVICE

You will receive the access token when using these features:

The JS SDK automatically store your tokens securely

Using the , you would follow this guide to When the user's email or phone number is successfully verified,

To also receive OAuth Tokens, add a query parameter oauth_token=true in the http request:

https://www.cotter.app/api/v0/verify/get_identity?oauth_token=true

The full request would be:

curl -XPOST \
-H 'Content-type: application/json' \
-H 'API_KEY_ID: <api_key_id>' \
-d '{
  "code_verifier": "<code_verifier>",
  "authorization_code": "<authorization_code>",
  "challenge_id": <challenge_id>,
  "redirect_url": "<redirect_url>"
}' 'https://www.cotter.app/api/v0/verify/get_identity?oauth_token=true'

You'll get the following response:

JSON Response

{
  "identifier": {
    "ID": "2ddc26f6-f392-4d7e-8607-1f57d41da045",
    "created_at": "2020-04-05T04:50:55.931771Z",
    "deleted_at": null,
    "device_name": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Mobile/15E148 Safari/604.1",
    "device_type": "BROWSER",
    "expiry": "2020-05-07T03:34:58.729745Z",
    "identifier": "hello@gmail.com",
    "identifier_type": "EMAIL",
    "public_key": "FvozWVGHo9lWE5ilLOF...",
    "timestamp": "2020-04-07T03:34:58.729745Z",
    "update_at": "2020-04-07T03:34:58.733779Z"
  },
  "token": { // You can ignore this if you're using the oauth_token 
    "expire_at": "1588822498",
    "identifier": "hello@gmail.com",
    "identifier_id": "2ddc26f6-f392-4d7e-8607-1f57d41da045",
    "identifier_type": "EMAIL",
    "receiver": "<your API KEY ID>",
    "signature": "XIbztHLKQSqzbnuBgyC+GfAK...",
    "timestamp": "1586230498"
  },
  "oauth_token": {  // 👈 NEW OAuth Tokens 👈
    "access_token": "eyJhbGciOiJFUz...",
    "auth_method": "OTP",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJFUz...",
    "refresh_token": "94:qv2SAJN5u2u...",
    "token_type": "Bearer"
  }
}

Tokens must be stored securely within your application. Use for Android and for iOS apps.

Getting and Removing tokens from the Storage

You need to pass the access_token to your backend server on every API calls. You also need to remove the tokens from storage to log out your users. Check out how to do that here:

Renewing Expired Tokens

Access tokens and ID tokens expires in 1 hour. When they're expired, you need to use the refresh_token to get new tokens. Check out how to renew expired tokens:

PreviousGetting the Tokens NextUsing the Refresh Token

Last updated 4 years ago

When a user logs in to your application using the Sign in with Email/Phone or the Sign in with Device method, Cotter will return OAuth tokens in the form of JWT Tokens.

For Sign in with Email/Phone: The authentication_method = OTP
For Sign in with Device: The authentication_method = TRUSTED_DEVICE

You will receive the access token when using these features:

The JS SDK automatically store your tokens securely

Using the , you would follow this guide to When the user's email or phone number is successfully verified,

To also receive OAuth Tokens, add a query parameter oauth_token=true in the http request:

https://www.cotter.app/api/v0/verify/get_identity?oauth_token=true

The full request would be:

curl -XPOST \
-H 'Content-type: application/json' \
-H 'API_KEY_ID: <api_key_id>' \
-d '{
  "code_verifier": "<code_verifier>",
  "authorization_code": "<authorization_code>",
  "challenge_id": <challenge_id>,
  "redirect_url": "<redirect_url>"
}' 'https://www.cotter.app/api/v0/verify/get_identity?oauth_token=true'

You'll get the following response:

JSON Response

{
  "identifier": {
    "ID": "2ddc26f6-f392-4d7e-8607-1f57d41da045",
    "created_at": "2020-04-05T04:50:55.931771Z",
    "deleted_at": null,
    "device_name": "Mozilla/5.0 (iPhone; CPU iPhone OS 13_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1 Mobile/15E148 Safari/604.1",
    "device_type": "BROWSER",
    "expiry": "2020-05-07T03:34:58.729745Z",
    "identifier": "hello@gmail.com",
    "identifier_type": "EMAIL",
    "public_key": "FvozWVGHo9lWE5ilLOF...",
    "timestamp": "2020-04-07T03:34:58.729745Z",
    "update_at": "2020-04-07T03:34:58.733779Z"
  },
  "token": { // You can ignore this if you're using the oauth_token 
    "expire_at": "1588822498",
    "identifier": "hello@gmail.com",
    "identifier_id": "2ddc26f6-f392-4d7e-8607-1f57d41da045",
    "identifier_type": "EMAIL",
    "receiver": "<your API KEY ID>",
    "signature": "XIbztHLKQSqzbnuBgyC+GfAK...",
    "timestamp": "1586230498"
  },
  "oauth_token": {  // 👈 NEW OAuth Tokens 👈
    "access_token": "eyJhbGciOiJFUz...",
    "auth_method": "OTP",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJFUz...",
    "refresh_token": "94:qv2SAJN5u2u...",
    "token_type": "Bearer"
  }
}

Tokens must be stored securely within your application. Use for Android and for iOS apps.

Getting and Removing tokens from the Storage

You need to pass the access_token to your backend server on every API calls. You also need to remove the tokens from storage to log out your users. Check out how to do that here:

Renewing Expired Tokens

Access tokens and ID tokens expires in 1 hour. When they're expired, you need to use the refresh_token to get new tokens. Check out how to renew expired tokens: