During Authentication

When you are authenticating users using Trusted Devices, Biometric or Pin, Cotter allows you to optionally request OAuth Tokens to be returned in addition to the Event token. The authentication_method specified will be either TRUSTED_DEVICE, BIOMETRIC or PIN.

Trusted Device Authentication

In the React Native SDK, you would follow this guide to request authentication using Trusted Devices. When the user successfully authenticated, either from a Trusted Device or when the user approved a login from a Non-Trusted Device, you would receive a JSON Response about the event and a signature.

To also receive OAuth Tokens, modify your code by adding getOAuthToken = true in the parameters:

// Requesting an authentication using Cotter
var cotter = new Cotter(
  <API_KEY_ID>,
  userID,
);
cotter.trustedDevice.requestAuth(
  'EVENT NAME',
  this.onRequestSuccess,
  this.onRequestError,
  {},                       // Add customization here, or leave as {}
  (getOAuthToken = true),   // 👈 Add this parameter
);

In the onRequestSuccess, you'll receive the following response:

{
  "CreatedAt": "2020-04-06T22:21:45.614843-07:00",
  "DeletedAt": null,
  "ID": 495,
  "UpdatedAt": "2020-04-06T22:21:45.614843-07:00",
  "approved": true,
  "client_user_id": "xyzABC123",
  "event": "LOGIN",
  "ip": "73.15.208.6",
  "issuer": "<your API KEY ID>",
  "location": "Orinda",
  "method": "TRUSTED_DEVICE",
  "new": false,
  "signature": "jiUHTm2zBcbkIYNbZ6...",
  "timestamp": "1586236905",
  
  "oauth_token": {  // 👈 NEW OAuth Tokens 
    "access_token": "eyJhbGciOiJFUzI1N...",
    "auth_method": "TRUSTED_DEVICE",
    "expires_in": 3600,
    "id_token": "eyJhbGciOiJFUzI1Ni...",
    "refresh_token": "96:ukrYGIisImyKXwKTR1tIuiR...",
    "token_type": "Bearer"
  }
}

Cotter's React Native SDK automatically store your tokens securely inside the device's secure storage.

Tokens must be stored securely within your application.

Getting and Removing tokens from the Storage

You need to pass the access_token to your backend server on every API calls. You also need to remove the tokens from storage to log out your users. Check out how to do that here:

Renewing Expired Tokens

Access tokens and ID tokens expires in 1 hour. When they're expired, you need to use the refresh_token to get new tokens. Check out how to renew expired tokens:

PreviousGetting the TokensNextDuring Email/Phone Verification

Last updated