Cotter
BlogDashboardGet help on Slack πŸ‘‹
Search…
0.1.0
πŸš€
Getting Started
Features & Concepts
πŸ“Œ
Quickstart Guides
All Guides & Tutorials
HTML – Sign in with Email/Phone
React – Sign in with Email/Phone
React – WebAuthn
β–² Next.js
Angular
Webflow
Bubble.io
Python SDK for a CLI
React Native – Sign in with Device
iOS – Sign in with Device
Flutter – Sign in with Device
πŸ“˜
SDK Reference
Web
React Native
Flutter
iOS
Android
Python (for CLI)
API for Other Mobile Apps or CLI
Backend: Handling Response
πŸ›‘οΈ Protecting Your Account
Only Allow Your Website/App to Use Your API Key
Rate Limit
Enable reCAPTCHA to Protect Against Automated Abuse
πŸ—οΈ Getting Access Token
Cotter's OAuth 2.0 Tokens Specification
Getting the Tokens
Storing and Removing Tokens
Renewing Expired Tokens
Verifying JWT Tokens
Requesting Custom Fields on your JWT Token
Older API
πŸ”Œ
API Reference
User API
OAuth Tokens API
OAuth Tokens from Social Login
Event Object
Reset PIN API
Older API
Validating Cotter's Identity Token
Validating Cotter's Event Response
Powered By GitBook
Cotter's OAuth 2.0 Tokens Specification
Allowing Cotter handling your full authentication is the fastest way to get your whole authentication suite setup. Cotter can generate an access token, id token, and refresh tokens for you.

Handling Authentication

After successful authentication, Cotter returns ID, access, and refresh tokens as defined by the OpenID Connect (OIDC) open standard:
  • The ID Token contains information about the authenticated user such as email , phone number , client_user_id (the user's id in your server), and auth_time (last authenticated time).
  • The Access Token contains scopes and the authentication method used to authenticate the user: OTP, TRUSTED DEVICE , PIN or BIOMETRIC .
  • The Refresh Token contains the information necessary to obtain a new ID and access token.
πŸ”’It is important to secure all tokens in transit and storage.

Client Libraries

Currently, we have the following libraries available to handle Cotter's OAuth Tokens:

Cotter's Access Token

Cotter's Access token is a JSON Web Tokens (JWTs) that is used to tell your backend API that the user has been authorized to call the API and perform some action (defined in the scopes attribute of the token).
Access tokens expires every 1 hour. Check the guide on renewing access and id tokens.
Token example:
Access Token
eyJhbGciOiJFUzI1NiIsImtpZCI6IlNQQUNFX0pXVF9QVU...
Example decoded token
{
"sub": "09efb1b-e50f-41fd-8530-88ffbcd80f59", // [Deprecated] Cotter's User id
"client_user_id": "09efb1b-e50f-41fd-8530-88ffbcd80f59", // deprecated
"authentication_method": "TRUSTED_DEVICE", // How the user is authenticated
"type": "access_token",
"identifier": "[email protected]", // User's email or phone number
"scope": "access", // Scope of this access token (coming soon)
"aud": "<your API KEY ID>", // Your API_KEY_ID
"exp": 1586231136, // Expires at
"iat": 1586227536, // Issued at
"jti": "47fba8ba-abcd-efgh-a22c-a2b8b72e8b98",
"iss": "https://www.cotter.app"
}

How to use the Access Token to allow API calls

1. On every API call to your server, attach the access token as a header
Authorization: Bearer <access token>
2. In your server, using a middleware, check if the access token is valid
3. If the access token is valid, allow the API call to proceed.

Cotter's ID Token

Cotter's ID token is a JSON Web Tokens (JWTs) that is used to provide information about the user. ID tokens expires every 1 hour. Check the guide on renewing access and id tokens.
Example Decoded Token
{
"sub": "43e53999-c31e-4ed9-a196-71031a05f297", // [Deprecated] Cotter User ID
"client_user_id": "43e53999-c31e-4ed9-a196-71031a05f297", // Deprecated
"auth_time": "1591756112", // Last authenticated time (Unix timestamp)
"identifier": "[email protected]",
"type": "id_token",
"aud": "<your API KEY ID>", // your API KEY ID
"exp": 1586232181, // Expires at
"iat": 1586228581, // Issued at
"jti": "886773db-abcd-efgh-aefc-6ab481b24099",
"iss": "https://www.cotter.app"
}
You should not trust this information after it's expired

Cotter's Refresh Token

Cotter's Refresh Token is an opaque token (i.e. a random string) that is used to generate a new access token and id token when they're expired. Refresh tokens expires every 30 days. You need to re-authenticate the user to get a new refresh token. Check the guide on renewing access and id tokens.
14:Pmw3r3rgaw0rLupUDU4hjwJFisv8EaHRaoy5gw54ZmSebaWHDh

πŸ₯³ Getting Started

1. Getting The Tokens using the SDK

Easily get tokens using the SDK by adding a simple paramater, ex. getOAuthToken = true

2. Storing & Removing the Token

The SDK generally automatically store tokens securely for you, and provides a function to easily remove the tokens to logout your users.

3. Renewing Expired Tokens

The SDK generally automatically renews expired access_token and id_token whenever a valid refresh_token exists.

4. Verifying the Tokens

You need to verify the JWT tokens in your backend server. Fortunately, there are a lot of good libraries that do this.

5. Adding Custom Claims to your JWT Token

If you have additional metadata from your backend server that you'd like to add to the JWT token (for example, the user's role or name, you can call Cotter's API to add the claims to Cotter's JWT token

πŸŽ‰ You're done!

πŸ›‘οΈ Protecting Your Account - Previous
Enable reCAPTCHA to Protect Against Automated Abuse
Next - πŸ—οΈ Getting Access Token
Getting the Tokens
Last modified 1yr ago
Copy link
Outline
Handling Authentication
Client Libraries
Cotter's Access Token
How to use the Access Token to allow API calls
Cotter's ID Token
Cotter's Refresh Token
πŸ₯³ Getting Started
1. Getting The Tokens using the SDK
2. Storing & Removing the Token
3. Renewing Expired Tokens
4. Verifying the Tokens
5. Adding Custom Claims to your JWT Token
πŸŽ‰ You're done!