Cotter
  • 🚀Getting Started
  • Features & Concepts
    • 💬Sign In with Email/Phone Number
    • 🔐Sign In with Device
      • How it works
    • 🧬Sign In with WebAuthn
  • 📌Quickstart Guides
    • All Guides & Tutorials
    • HTML – Sign in with Email/Phone
    • React – Sign in with Email/Phone
    • React – WebAuthn
    • ▲ Next.js
    • Angular
    • Webflow
    • Bubble.io
    • Python SDK for a CLI
    • React Native – Sign in with Device
    • iOS – Sign in with Device
    • Flutter – Sign in with Device
  • 📘SDK Reference
    • Web
      • Sign In with Email/Phone Number
        • Customize the Form
        • Checking the email or phone before sending a verification code
        • Sending Code or Link via WhatsApp
        • Styling
        • Older SDK
          • Customize the Form
      • Sign in with Social Login
        • Getting Access Tokens from Social Login Providers
        • Github Instructions
        • Google Instructions
      • Sign In with WebAuthn
        • Register WebAuthn for a logged-in user
      • Sign In with Device
        • Steps for Pop Up Authentication Prompt
        • Advanced Customization for Login Form
        • Advanced Customization for Pop Up Authentication Prompt
      • Getting Access Token and Logged-In User Info
      • Sending Successful Form Submission
      • FAQ & Troubleshooting
    • React Native
      • Installation
      • Sign In with Device
        • Add Email/Phone Verification
        • Authenticate from a Non-Trusted Device
        • Add a new Trusted Device
        • Remove Trusted Device
      • Sign In with Email/Phone Number
      • Getting Stored OAuth Tokens and User Information
      • FAQ
      • Older SDK Versions
        • Sign in with Email/Phone
        • Sending Code via WhatsApp
        • Sign In with Device
          • Authenticate from a Non-Trusted Device
          • Add a new Trusted Device
          • Customization
    • Flutter
      • Sign In with Device
        • Add Email/Phone Verification
        • Authenticate from a Non-Trusted Device
      • Sign in with Email/Phone Number
      • Getting the Logged-in User
      • Getting OAuth Tokens
      • Signing a User Out
    • iOS
      • Sign In with Email/Phone Number
      • Sign In with Device
        • Authenticate from a Non-Trusted Device
        • Push Notification
        • Check if Trusted Device is Enrolled
        • Add a New Trusted Device
        • Remove Trusted Device
      • Older Versions
        • Biometric/Pin
    • Android
      • Sign In with Device
        • Authenticate from a Non-Trusted Device
        • Check if Trusted Device is Enrolled
        • Add a new Trusted Device
        • Remove Trusted Device
        • Customization
      • Sign In with Email/Phone Number
      • Biometric/Pin
        • Advanced Methods
        • Customization
        • Setting Strings
        • Styling
      • Older SDK Version
        • Sign In with Device
          • Authenticate from a Non-Trusted Device
    • Python (for CLI)
    • API for Other Mobile Apps or CLI
      • Verify Email/Phone Number
        • Handling URL Scheme
    • Backend: Handling Response
  • 🛡️ Protecting Your Account
    • Only Allow Your Website/App to Use Your API Key
    • Rate Limit
    • Enable reCAPTCHA to Protect Against Automated Abuse
  • 🗝️ Getting Access Token
    • Cotter's OAuth 2.0 Tokens Specification
    • Getting the Tokens
      • Get Tokens during Authentication
      • Using the Refresh Token
    • Storing and Removing Tokens
    • Renewing Expired Tokens
    • Verifying JWT Tokens
    • Requesting Custom Fields on your JWT Token
    • Older API
      • Using HTTP Requests
      • Getting the Tokens
        • During Authentication
          • During Email/Phone Verification
        • During enrolling Trusted Devices
  • 🔌API Reference
    • User API
      • User Object
    • OAuth Tokens API
      • Verify JWT Token using API (serverless)
      • Requesting Custom Claims on your Access Token
      • Older API
    • OAuth Tokens from Social Login
    • Event Object
    • Reset PIN API
  • Older API
    • Validating Cotter's Identity Token
    • Validating Cotter's Event Response
Powered by GitBook
On this page
  • Trusted Device Authentication
  • Getting and Removing tokens from the Storage
  • Renewing Expired Tokens
  1. 🗝️ Getting Access Token
  2. Older API
  3. Getting the Tokens

During Authentication

PreviousGetting the TokensNextDuring Email/Phone Verification

Last updated 5 years ago

When you are authenticating users using Trusted Devices, Biometric or Pin, Cotter allows you to optionally request OAuth Tokens to be returned in addition to the . The authentication_method specified will be either TRUSTED_DEVICE, BIOMETRIC or PIN.

Trusted Device Authentication

In the , you would follow this guide to When the user successfully authenticated, either from a Trusted Device or when the user approved a login from a Non-Trusted Device, you would receive a

To also receive OAuth Tokens, modify your code by adding getOAuthToken = true in the parameters:

// Requesting an authentication using Cotter
var cotter = new Cotter(
  <API_KEY_ID>,
  userID,
);
cotter.trustedDevice.requestAuth(
  'EVENT NAME',
  this.onRequestSuccess,
  this.onRequestError,
  {},                       // Add customization here, or leave as {}
  (getOAuthToken = true),   // 👈 Add this parameter
);

In the onRequestSuccess, you'll receive the following response:

{
  "CreatedAt": "2020-04-06T22:21:45.614843-07:00",
  "DeletedAt": null,
  "ID": 495,
  "UpdatedAt": "2020-04-06T22:21:45.614843-07:00",
  "approved": true,
  "client_user_id": "xyzABC123",
  "event": "LOGIN",
  "ip": "73.15.208.6",
  "issuer": "<your API KEY ID>",
  "location": "Orinda",
  "method": "TRUSTED_DEVICE",
  "new": false,
  "signature": "jiUHTm2zBcbkIYNbZ6...",
  "timestamp": "1586236905",
  
  "oauth_token": {  // 👈 NEW OAuth Tokens 
    "access_token": "eyJhbGciOiJFUzI1N...",
    "auth_method": "TRUSTED_DEVICE",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJFUzI1Ni...",
    "refresh_token": "96:ukrYGIisImyKXwKTR1tIuiR...",
    "token_type": "Bearer"
  }
}

Cotter's React Native SDK automatically store your tokens securely inside the device's secure storage.

We'll add support for JS, Android and iOS soon 😉. Stay tuned!

Tokens must be stored securely within your application.

Getting and Removing tokens from the Storage

You need to pass the access_token to your backend server on every API calls. You also need to remove the tokens from storage to log out your users. Check out how to do that here:

Renewing Expired Tokens

Access tokens and ID tokens expires in 1 hour. When they're expired, you need to use the refresh_token to get new tokens. Check out how to renew expired tokens:

Event token
React Native SDK
request authentication using Trusted Devices.
JSON Response about the event and a signature.
Storing and Removing Tokens
Renewing Expired Tokens