About LoginRadius Tokens
Overview
LoginRadius utilizes various tokens to enhance security, authentication, and user session management. These include short-lived tokens like the Request Token and Access Token (15-minute expiration) for authentication, Refresh Tokens for session renewal, and Social Platform Tokens with provider-specific expirations. Additional security tokens include the Verification Token and Password Token (24-hour validity) for account verification and recovery. The SOTT (Secured One-Time Token) ensures secure user registration, while Phone OTP and Authenticator OTP enable multi-factor authentication. LoginRadius also supports JWT (JSON Web Token), JWE (encrypted JWT), and GUID-based tokens for secure data transmission and identity management across applications.
LoginRadius Request Token (Expiration: 15 mins)
This token is returned by a successful login request for a social ID provider such as Facebook and is stored in the global REQUEST variable and returned to the callback page you defined. Generally, this token is retrieved from the REQUEST variable and is used to call the LoginRadius Access Token API to get the LoginRadius access token.
Note: If you are using our LoginRadius V2 API JavaScript Interface (LoginRadiusV2.js), this flow is handled automatically. Upon logging in, the user is automatically given a LoginRadius Access Token.
LoginRadius Access Token (Expiration: 15 mins)
NOTE: If you would like to have your LoginRadius Access Token extended to longer than 90 days, please contact the LoginRadius Support Team.
This token is returned by a call to the LoginRadius Access Token API and is generated from your LoginRadius Request Token (see above). It is combined with your LoginRadius API key, forming a unique identifier that informs LoginRadius who the user is and which social platform they are currently associated with in order to retrieve the correct information. The LoginRadius access token is required for almost all LoginRadius Social API calls, and many of the Authentication API calls.
As part of our SSO (Single-Sign-On) workflows, the LoginRadius Radius Token is also leveraged by the SSO scripts to see if a session is ongoing. You can read more about this in our Single-Sign-On Documentation.
Additional Information:
- The LoginRadius Access Token is referred to as "access_token" when it needs to be passed as a parameter in our API Documentation.
E.g. Auth Read all Profiles by Token
- When using LoginRadiusV2.js, upon a successful Login, the Access Token is stored by default in the browser's local storage and sessionstorage as LRTokenKey and in the cookies as lr-session-token.
LoginRadius Refresh Token
In the LoginRadius Identity Platform, the Refresh Token is used to generate Access Token. Whenever an access token expires or becomes invalid, LoginRadius provides a refresh token to the customer to obtain a new access token.
Under the refresh token section, you can update the time starting from 1 up to 525600 minutes (Max: 365 days) as per your business use case, and if you want more than this, contact LoginRadius support.
Note:
- The default expiration of this token is 60 days (86400 minutes).
- The refresh token gets invalidated when either used one time to refresh the access token or when gets revoked by leveraging the Revoke Refresh token API manually.
For revoking a single Refresh token manually, you can leverage the Revoke Refresh token API. However, if you would like to revoke all assigned Refresh tokens for a certain user you can leverage the Revoke All Refresh Token.
Social Platform Token (Expiration: Varies by Network)
The expiration time for the most popular social ID providers can be found here.
This token is generated by the social ID provider (i.e. Facebook, Twitter, etc.) associated with the user and is used by the provider to identify the user. With this token, you can call the various APIs from that social ID provider. This token can be retrieved by calling the LoginRadius User Profile API with extended user profile data permission.
Verification Token
The Verification Token, also known as "vtoken" is used every time a workflow requires a user to do a Verification by email. There are different types of Verification tokens depending on the workflow used called "vtype".
In a standard workflow, the user receives an email prompting them to verify via a URL, the URL includes the Verification Token as a query parameter named "vtoken" and another query parameter "vtype" is used to indicate the type of workflow.
If the LoginRadius JavaScript Interface is configured on the page provided in the URL, it will consume the vtoken and verify the user for the intended workflow. Otherwise, the vtoken can be consumed via one of our APIs.
To customize how the "vtoken" is displayed in an email please see our Email Template documentation here.
Please see below for the different types of Verification Tokens:
| vtype | description | default expiration |
|---|---|---|
| emailverification | This token is used as part of a User Registration workflow to verify the user. It will be returned in the LoginRadius Email Verification template and can be consumed by the LoginRadius JS Interface to both verify and login the user. If the initial email is lost or the Token expires the email will be resent upon the user's next attempt to log in. | 4320 Minutes / 72 hours |
| reset | This token is used as part of a Password Reset / Forgot Password workflow, it is returned in the LoginRadius Forgot Password template. It can be used by the LoginRadius JS Interface to identify whether the Reset Password interface should be displayed and is included in the Reset Password request to verify that the request is valid. The email can be re-sent by initiating the forgot password process. | 4320 Minutes / 72 hours |
| deleteuser | This token is used as part of the Delete request workflow where a user requesting to delete their account needs to confirm by clicking the provided URL in the Delete Account Email template. If configured, it can be used by the LoginRadius JS Interface to complete deletion of an account. | 4320 Minutes / 72 hours |
| autologin | This token is used as part of the Auto Login workflow where a user is logged in by clicking a link provided in the Auto Login email template | 4320 Minutes / 72 hours |
| OneClickSignIn | This token is used as part of the One Click Sign / Passwordless Login workflow where a user is logged in by clicking a link provided in the One Click Sign In email template | 4320 Minutes / 72 hours |
LoginRadius Password Token (Expiration: 24 hours)
SOTT (Secured One Time Token)
The SOTT is a token used to identify a browser session during registration, which can be used as an alternative to reCaptcha to prevent abuse. You can read more about the SOTT in our SOTT documentation
Phone OTP (One Time Password)
The Phone One Time Password is a password that is texted to a user to be used once for the purpose of Login. Once the token is consumed it expires and a new one will be required to Login next time.
Authenticator OTP (One Time Password)
The Authenticator OTP is used strictly in the context of Multi-Factor Authentication. The end-user attempts to login using a username and password and is then prompted to enter the OTP. This is obtained by the user by opening the respective Authenticator app on their phone and typing the OTP in the browser to complete the login process.
You can learn more about this flow in our Authenticator Workflow documentation.
LoginRadius JWT encrypted token (JWE)
Earlier, we only provided usage of tokens in GUID format, but now we are introducing an encrypted JWT type of token format, which means JSON Web Token, primarily used for authentication and authorization in web applications and APIs. It allows the secure transmission of claims (data) between parties as a JSON object.
When a user successfully logs in or authenticates, an authentication server will typically provide the encrypted JWT token. In order to verify the user's identity and access privileges, the client then sends this token (often in the Authorization header) with subsequent requests to the server. By verifying the signature with the shared secret key, the server may confirm the validity of the token.
Encrypted JWT tokens have several advantages, such as Stateless, Secure, and Flexible. They are self-contained, meaning that all necessary information is contained within the token itself, reducing the need for frequent database or server lookups. They are portable and can be easily transmitted across different systems or platforms. Additionally, since the token is digitally signed, it provides a level of assurance that the token hasn't been tampered with.
Note: By default, the Admin Console does not have this feature enabled. Therefore, you must submit a support ticket to the LoginRadius Support team in order to enable this feature for your account.
GUID vs Encrypted JWT
| GUID Token | Encrypted JWT Token | |
|---|---|---|
| Purpose | Generating unique identifiers | Authentication and authorization |
| Structure | 32-character hexadecimal string | Combination of header, payload, and signature |
| Claims | No inherent meaning or specific data | Contains claims about the user |
| Uniqueness | Designed to be globally unique | Verification based on digital signature |
| Generation | Uses algorithms and components like MAC address and timestamp | Created by encoding a header, payload, and signing with a secret key |
Encrypted JWT (JSON Web Token) has become a popular alternative to traditional session-based or opaque tokens in various situations. The tokens such as Session tokens, Access tokens, Refresh tokens, and Feature tokens are now supported in JWT format. An encrypted JWT offers a stateless solution that eliminates the need for server-side storage and improves performance. By utilizing encrypted JWT, applications can benefit from its self-contained nature, reduced storage requirements, improved performance, and enhanced security through digital signature verification. However, secure implementation is crucial, including proper key management, token expiration policies, and protection against token misuse or theft.
Note: We request you kindly remove any token validation rules you were using previously on the GUID Token because the encrypted JWT token is a dynamic type of token that consists of variable character length.
Auth Login API by Email
{
"Profile": {},
"access_token": "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiYXQrand0In0..CVQ_S_Au0ZCi7TUp.5Cp-P0eDWbhoPURA_fwJFOzv8CHqFIGRExR13VxsMBIfEe-eZ1pTBrkWloaKRN3R3DGdNyq6F1qGF3BS-YRkG6_NgmmwA3HxlYMXr1IiZQv1bzm8VYPPwq-Z5uRs8tTAq4C5y2EVgehy9As_OkFsnJnfxQ-asevrmcKu45_hN4Y0Ji-Z1bq5r4Gso9CzeyBedEuXvueri9GOalG1N14uWawLPa0S2v-zE9vzelSDqkYflC58HA79pWqpl36NLEzo6HWfDaqiZucQD1tvLp2KoAVqi30JMAbsNWYo1xBQuinpFKOhsI7RRGTUHxllgHXEbIfw5b8uDZf4PDFAovFGU0d9uVKWa0c91xWYpAhLlFenEciixIIG6nbT319M00jR05QF7Bl5wC1weirZ0EBJkEkgfVyim0NiFjvZ7bOOoxgc830Os_0DHY5vt3rtchq-dcPjnLQEAXdkZO1yVUSVLhfGJrV5j7EEM2QI3jjZEdxSEjn9Sgd-RD6clK_rjQvZXX9juMdK7xd_9XsGl9Hpou6u92xs2g.hN6Ek5nut6o_HWtGBDfqiQ",
"refresh_token": "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiand0In0..Gpb3XwXEweh9n56v.X-vOxIMzgB451Qa4PH1dLH0ZQ3e6og4NQGuq1QgCvBG_1y1alsmIRzZkd33kfegSxGPeEzh16Hu7hir0e5CRc6PlQgHzwwe6TyUfgylvWT8G0EWztJouZQ4d6I_w6CjMgHfFiJ64_uaqnF8UqT7GKLF4E4DmwxVEtuitfx0jLP53PErD3nKdc0EvYf3MRzipF44GJtO9G9f930ymNa9Fnh-56hf1cvusSqJSKCSqalQ7u9ATYBrUkmpnyUAD_YHY6rIihIl5UF1qyWlZyrNRjJ3YacvEoJw2ELiY8giKC6Z_6IkCH3jAaSyfEgxJJmqpduxdj9DWVJl8vdf1B9QcRU4UWL7jaLmkjJImGnVJrJ8T-bnJ9BxG8ZmoBeXv_X-zYEvTFdxCmYljYK0oYPUcJJhMsRu1n81x0Lvv7_PiUvD1zw19xDdyGG4DYzUBkdaPhYnWiU1gC5TgshGQerONVGtlQ3TgvH0olBMx6sILTyoY-F-xDU1ZKnNQvVvWsPb77t-BkDjJH22y2F0DkUz04H--2Ay4oO0Yd3EdXAGFcQkRtCNovtaGRwVaPHMah1YoArzgIpc282Mz9F_i1mNgNuMq2-5c6ThsTrfY9_P19plG1_QGcIax-z-b4vvT7CrlmMpqQnRIVZlHI8VNVyFkiTU._et-yqIwaaoo6qgWznRPZA",
"expires_in": "2023-06-23T12:04:00.906Z"
}
Auth Validate Access Token
{
"access_token": "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiYXQrand0In0..CVQ_S_Au0ZCi7TUp.5Cp-P0eDWbhoPURA_fwJFOzv8CHqFIGRExR13VxsMBIfEe-eZ1pTBrkWloaKRN3R3DGdNyq6F1qGF3BS-YRkG6_NgmmwA3HxlYMXr1IiZQv1bzm8VYPPwq-Z5uRs8tTAq4C5y2EVgehy9As_OkFsnJnfxQ-asevrmcKu45_hN4Y0Ji-Z1bq5r4Gso9CzeyBedEuXvueri9GOalG1N14uWawLPa0S2v-zE9vzelSDqkYflC58HA79pWqpl36NLEzo6HWfDaqiZucQD1tvLp2KoAVqi30JMAbsNWYo1xBQuinpFKOhsI7RRGTUHxllgHXEbIfw5b8uDZf4PDFAovFGU0d9uVKWa0c91xWYpAhLlFenEciixIIG6nbT319M00jR05QF7Bl5wC1weirZ0EBJkEkgfVyim0NiFjvZ7bOOoxgc830Os_0DHY5vt3rtchq-dcPjnLQEAXdkZO1yVUSVLhfGJrV5j7EEM2QI3jjZEdxSEjn9Sgd-RD6clK_rjQvZXX9juMdK7xd_9XsGl9Hpou6u92xs2g.hN6Ek5nut6o_HWtGBDfqiQ",
"refresh_token": "eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIiwidHlwIjoiand0In0..Gpb3XwXEweh9n56v.X-vOxIMzgB451Qa4PH1dLH0ZQ3e6og4NQGuq1QgCvBG_1y1alsmIRzZkd33kfegSxGPeEzh16Hu7hir0e5CRc6PlQgHzwwe6TyUfgylvWT8G0EWztJouZQ4d6I_w6CjMgHfFiJ64_uaqnF8UqT7GKLF4E4DmwxVEtuitfx0jLP53PErD3nKdc0EvYf3MRzipF44GJtO9G9f930ymNa9Fnh-56hf1cvusSqJSKCSqalQ7u9ATYBrUkmpnyUAD_YHY6rIihIl5UF1qyWlZyrNRjJ3YacvEoJw2ELiY8giKC6Z_6IkCH3jAaSyfEgxJJmqpduxdj9DWVJl8vdf1B9QcRU4UWL7jaLmkjJImGnVJrJ8T-bnJ9BxG8ZmoBeXv_X-zYEvTFdxCmYljYK0oYPUcJJhMsRu1n81x0Lvv7_PiUvD1zw19xDdyGG4DYzUBkdaPhYnWiU1gC5TgshGQerONVGtlQ3TgvH0olBMx6sILTyoY-F-xDU1ZKnNQvVvWsPb77t-BkDjJH22y2F0DkUz04H--2Ay4oO0Yd3EdXAGFcQkRtCNovtaGRwVaPHMah1YoArzgIpc282Mz9F_i1mNgNuMq2-5c6ThsTrfY9_P19plG1_QGcIax-z-b4vvT7CrlmMpqQnRIVZlHI8VNVyFkiTU._et-yqIwaaoo6qgWznRPZA",
"expires_in": "2023-06-23T12:04:00.000Z"
}
JWT (JSON Web Token)
Additionally, please note that the JWT is also another popular method for establishing SSO (Single-Sign-On) connections between business apps. LoginRadius supports the handling of JSON Web Tokens. See our documentation on JWT for more details here.
Note: The default JWT token expiration time is 10 min, If you would like to have your JWT Token extended to longer than 10 minutes please contact the LoginRadius Support Team.