Cotter
  • πŸš€Getting Started
  • Features & Concepts
    • πŸ’¬Sign In with Email/Phone Number
    • πŸ”Sign In with Device
      • How it works
    • 🧬Sign In with WebAuthn
  • πŸ“ŒQuickstart Guides
    • All Guides & Tutorials
    • HTML – Sign in with Email/Phone
    • React – Sign in with Email/Phone
    • React – WebAuthn
    • β–² Next.js
    • Angular
    • Webflow
    • Bubble.io
    • Python SDK for a CLI
    • React Native – Sign in with Device
    • iOS – Sign in with Device
    • Flutter – Sign in with Device
  • πŸ“˜SDK Reference
    • Web
      • Sign In with Email/Phone Number
        • Customize the Form
        • Checking the email or phone before sending a verification code
        • Sending Code or Link via WhatsApp
        • Styling
        • Older SDK
          • Customize the Form
      • Sign in with Social Login
        • Getting Access Tokens from Social Login Providers
        • Github Instructions
        • Google Instructions
      • Sign In with WebAuthn
        • Register WebAuthn for a logged-in user
      • Sign In with Device
        • Steps for Pop Up Authentication Prompt
        • Advanced Customization for Login Form
        • Advanced Customization for Pop Up Authentication Prompt
      • Getting Access Token and Logged-In User Info
      • Sending Successful Form Submission
      • FAQ & Troubleshooting
    • React Native
      • Installation
      • Sign In with Device
        • Add Email/Phone Verification
        • Authenticate from a Non-Trusted Device
        • Add a new Trusted Device
        • Remove Trusted Device
      • Sign In with Email/Phone Number
      • Getting Stored OAuth Tokens and User Information
      • FAQ
      • Older SDK Versions
        • Sign in with Email/Phone
        • Sending Code via WhatsApp
        • Sign In with Device
          • Authenticate from a Non-Trusted Device
          • Add a new Trusted Device
          • Customization
    • Flutter
      • Sign In with Device
        • Add Email/Phone Verification
        • Authenticate from a Non-Trusted Device
      • Sign in with Email/Phone Number
      • Getting the Logged-in User
      • Getting OAuth Tokens
      • Signing a User Out
    • iOS
      • Sign In with Email/Phone Number
      • Sign In with Device
        • Authenticate from a Non-Trusted Device
        • Push Notification
        • Check if Trusted Device is Enrolled
        • Add a New Trusted Device
        • Remove Trusted Device
      • Older Versions
        • Biometric/Pin
    • Android
      • Sign In with Device
        • Authenticate from a Non-Trusted Device
        • Check if Trusted Device is Enrolled
        • Add a new Trusted Device
        • Remove Trusted Device
        • Customization
      • Sign In with Email/Phone Number
      • Biometric/Pin
        • Advanced Methods
        • Customization
        • Setting Strings
        • Styling
      • Older SDK Version
        • Sign In with Device
          • Authenticate from a Non-Trusted Device
    • Python (for CLI)
    • API for Other Mobile Apps or CLI
      • Verify Email/Phone Number
        • Handling URL Scheme
    • Backend: Handling Response
  • πŸ›‘οΈ Protecting Your Account
    • Only Allow Your Website/App to Use Your API Key
    • Rate Limit
    • Enable reCAPTCHA to Protect Against Automated Abuse
  • πŸ—οΈ Getting Access Token
    • Cotter's OAuth 2.0 Tokens Specification
    • Getting the Tokens
      • Get Tokens during Authentication
      • Using the Refresh Token
    • Storing and Removing Tokens
    • Renewing Expired Tokens
    • Verifying JWT Tokens
    • Requesting Custom Fields on your JWT Token
    • Older API
      • Using HTTP Requests
      • Getting the Tokens
        • During Authentication
          • During Email/Phone Verification
        • During enrolling Trusted Devices
  • πŸ”ŒAPI Reference
    • User API
      • User Object
    • OAuth Tokens API
      • Verify JWT Token using API (serverless)
      • Requesting Custom Claims on your Access Token
      • Older API
    • OAuth Tokens from Social Login
    • Event Object
    • Reset PIN API
  • Older API
    • Validating Cotter's Identity Token
    • Validating Cotter's Event Response
Powered by GitBook
On this page
  • Handling Authentication
  • Client Libraries
  • Cotter's Access Token
  • How to use the Access Token to allow API calls
  • Cotter's ID Token
  • Cotter's Refresh Token
  • πŸ₯³ Getting Started
  • 1. Getting The Tokens using the SDK
  • 2. Storing & Removing the Token
  • 3. Renewing Expired Tokens
  • 4. Verifying the Tokens
  • 5. Adding Custom Claims to your JWT Token
  • πŸŽ‰ You're done!
  1. πŸ—οΈ Getting Access Token

Cotter's OAuth 2.0 Tokens Specification

Allowing Cotter handling your full authentication is the fastest way to get your whole authentication suite setup. Cotter can generate an access token, id token, and refresh tokens for you.

PreviousEnable reCAPTCHA to Protect Against Automated AbuseNextGetting the Tokens

Last updated 3 years ago

Handling Authentication

After successful authentication, Cotter returns ID, access, and refresh tokens as defined by the OpenID Connect (OIDC) open standard:

  • The contains information about the authenticated user such as email , phone number , client_user_id (the user's id in your server), and auth_time (last authenticated time).

  • The contains scopes and the authentication method used to authenticate the user: OTP, TRUSTED DEVICE , PIN or BIOMETRIC .

  • The contains the information necessary to obtain a new ID and access token.

πŸ”’It is important to secure all tokens in transit and storage.

Client Libraries

Currently, we have the following libraries available to handle Cotter's OAuth Tokens:

  • Cotter Token JS for Decoding JWT Tokens:

  • Cotter Node for validating JWT Tokens in your server:

Cotter's Access Token

Cotter's Access token is a that is used to tell your backend API that the user has been authorized to call the API and perform some action (defined in the scopes attribute of the token).

Access tokens expires every 1 hour. .

Token example:

eyJhbGciOiJFUzI1NiIsImtpZCI6IlNQQUNFX0pXVF9QVU...
{      
  "sub": "09efb1b-e50f-41fd-8530-88ffbcd80f59",                  // [Deprecated] Cotter's User id
  "client_user_id": "09efb1b-e50f-41fd-8530-88ffbcd80f59",       // deprecated
  "authentication_method": "TRUSTED_DEVICE",                     // How the user is authenticated
  "type": "access_token", 
  "identifier": "putri@cotter.app",                   // User's email or phone number
  "scope": "access",                                  // Scope of this access token (coming soon)
  "aud": "<your API KEY ID>",                         // Your API_KEY_ID
  "exp": 1586231136,                                  // Expires at
  "iat": 1586227536,                                  // Issued at
  "jti": "47fba8ba-abcd-efgh-a22c-a2b8b72e8b98",
  "iss": "https://www.cotter.app"            
}

How to use the Access Token to allow API calls

1. On every API call to your server, attach the access token as a header

Authorization: Bearer <access token>

2. In your server, using a middleware, check if the access token is valid

3. If the access token is valid, allow the API call to proceed.

Cotter's ID Token

{
  "sub": "43e53999-c31e-4ed9-a196-71031a05f297",              // [Deprecated] Cotter User ID
  "client_user_id": "43e53999-c31e-4ed9-a196-71031a05f297",   // Deprecated
  "auth_time": "1591756112",                                  // Last authenticated time (Unix timestamp)
  "identifier": "putri@cotter.app",
  "type": "id_token",
  "aud": "<your API KEY ID>",       // your API KEY ID
  "exp": 1586232181,                // Expires at
  "iat": 1586228581,                // Issued at
  "jti": "886773db-abcd-efgh-aefc-6ab481b24099",
  "iss": "https://www.cotter.app"
}

You should not trust this information after it's expired

Cotter's Refresh Token

14:Pmw3r3rgaw0rLupUDU4hjwJFisv8EaHRaoy5gw54ZmSebaWHDh

πŸ₯³ Getting Started

1. Getting The Tokens using the SDK

Easily get tokens using the SDK by adding a simple paramater, ex. getOAuthToken = true

2. Storing & Removing the Token

The SDK generally automatically store tokens securely for you, and provides a function to easily remove the tokens to logout your users.

3. Renewing Expired Tokens

The SDK generally automatically renews expired access_token and id_token whenever a valid refresh_token exists.

4. Verifying the Tokens

You need to verify the JWT tokens in your backend server. Fortunately, there are a lot of good libraries that do this.

5. Adding Custom Claims to your JWT Token

If you have additional metadata from your backend server that you'd like to add to the JWT token (for example, the user's role or name, you can call Cotter's API to add the claims to Cotter's JWT token

πŸŽ‰ You're done!

Cotter's ID token is a that is used to provide information about the user. ID tokens expires every 1 hour. .

Cotter's Refresh Token is an opaque token (i.e. a random string) that is used to generate a new access token and id token when they're expired. Refresh tokens expires every 30 days. You need to re-authenticate the user to get a new refresh token. .

ID Token
Access Token
Refresh Token
cotter-token-js
cotter-node
JSON Web Tokens (JWTs)
Check the guide on renewing access and id tokens
Verifying JWT Tokens
JSON Web Tokens (JWTs)
Check the guide on renewing access and id tokens
Check the guide on renewing access and id tokens
Getting the Tokens
Storing and Removing Tokens
Renewing Expired Tokens
Verifying JWT Tokens
Requesting Custom Claims on your Access Token