Authenticate JWT - Stytch Docs

Given a Session , this method authenticates a Session and updates its lifetime by the specified session_duration_minutes. If session_duration_minutes is not specified, the Session will not be extended.

This method is only available when using our backend SDKs.If you are looking for client side JWT authentication, please use the frontend SDKs’ Authenticate Session endpoint instead.

If you provide a JWT that needs to be refreshed and is expired according to its exp claim, a new JWT will be returned if both the signature and the underlying Session are still valid. See our JWT guides for more information. If the JWT is older than max_token_age_seconds or if the JWT is expired, this method will communicate with the Stytch API to authenticate the session. Otherwise, the JWT will be validated locally.

Local JWT validation

If you do not provide a max_token_age_seconds parameter, then the authenticateJwt method will only communicate with the Stytch API if the JWT is expired (Stytch JWTs have an exp of five minutes). Specifying a max_token_age_seconds parameter of less than five minutes is one way to reduce security risks inherent to local JWT validation by forcing communication with the Stytch API more frequently. We recommend relying primarily on this method over the authenticateSession method, as it handles the local JWT validation vs. remote session authentication logic for you, improving latency when the JWT is less than max_token_age_seconds old and authenticating the underlying session with Stytch when necessary.

Authorization

If an authorization_check is passed in, this method will also check if the is authorized to perform the given action on the given Resource in the specified . A Member is authorized if:

their Member Session contains a Role, assigned explicitly or implicitly, with adequate permissions.
the organization_id passed in the authorization check matches Member Session’s Organization.

If either of these conditions are not met, a 403 error will be thrown. Otherwise, the response will contain a list of Roles that satisfied the authorization check.

Request Parameters

session_jwt

string

required

The Session JWT to authenticate.

authorization_check

object

If included, this method will also check if the Member is authorized to perform the given action on the given Resource in the specified Organization. A Member is authorized if their Member Session contains a Role, assigned explicitly or implicitly, with adequate permissions. In addition, the organization_id passed in the authorization check must match the Member’s Organization.

Show properties

organization_id

string

required

The Organization ID in which to check the Member’s authorization.

resource

string

required

The unique identifier of the RBAC Resource.

action

string

required

The action to take on the specified Resource.

max_token_age_seconds

number

If set, remote verification will be forced if the JWT was issued more than that many seconds ago (based on the iat claim).

Response

member_session

string

required

The Session object associated with the authenticated JWT.

Show properties

member_session_id

string

Globally unique UUID that identifies a specific member session.

member_id

string

The ID of the Member that the Member Session belongs to.

organization_id

string

The ID of the Organization that the Member Session belongs to.

started_at

string

The timestamp of the session’s creation. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

last_accessed_at

string

The timestamp of the last time the session was accessed. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

expires_at

string

The timestamp of the session’s expiration. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

authentication_factors

array

All the authentication factors that have been associated with the current member session.

Show properties

delivery_method

string

The delivery method of the authentication factor. Possible values are:

email
sms
whatsapp
oauth_google
oauth_microsoft
oauth_hubspot
oauth_slack
oauth_github

type

string

The type of authentication factor.

last_authenticated_at

string

The timestamp of the last time the authentication factor was authenticated. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

created_at

string

The timestamp of the creation of the authentication factor. Values conform to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z.

sequence_order

string

The sequence order of the authentication factor. Value will be PRIMARY or SECONDARY.

email_factor

object

If delivery_method is email, this will be the email factor, else null.

Show properties

email_id

string

The ID of the email factor.

email_address

string

The email address of the email factor.

phone_number_factor

object

If delivery_method is sms or whatsapp, this will be the phone number factor, else null.

Show properties

phone_id

string

The ID of the phone number factor.

phone_number

string

The phone number of the phone number factor.

google_oauth_factor

object

If delivery_method is oauth_google, this will be the Google OAuth factor, else null.

Show properties

string

The ID of the Google OAuth factor.

email_id

string

The ID of the email factor.

provider_subject

string

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or “Subject field” in OAuth protocols.

microsoft_oauth_factor

object

If delivery_method is oauth_microsoft, this will be the Microsoft OAuth factor, else null.

Show properties

string

The ID of the Microsoft OAuth factor.

email_id

string

The ID of the email factor.

provider_subject

string

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or “Subject field” in OAuth protocols.

hubspot_oauth_factor

object

If delivery_method is oauth_hubspot, this will be the Hubspot OAuth factor, else null.

Show properties

string

The ID of the Hubspot OAuth factor.

email_id

string

The ID of the email factor.

provider_subject

string

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or “Subject field” in OAuth protocols.

slack_oauth_factor

object

If delivery_method is oauth_slack, this will be the Slack OAuth factor, else null.

Show properties

string

The ID of the Slack OAuth factor.

email_id

string

The ID of the email factor.

provider_subject

string

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or “Subject field” in OAuth protocols.

github_oauth_factor

object

If delivery_method is oauth_github, this will be the GitHub OAuth factor, else null.

Show properties

string

The ID of the GitHub OAuth factor.

email_id

string

The ID of the email factor.

provider_subject

string

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or “Subject field” in OAuth protocols.

custom_claims

object | null

A map of the custom claims associated with the session. After claims have been added to a session, call stytch.session.authenticate to refresh the session state clientside. See our Using Sessions Custom Claims guide for more information. If no claims are set, this field will be null.

roles

string[]

The roles that have been assigned to the current member session.

organization_slug

string

The slug of the Organization that the Member Session belongs to.

session_jwt

string

required

A new JWT for the authenticated Session.

session_token

string

An opaque Session token for the authenticated Session.Will only be returned when remote JWT authentication occurs.

member

object

The Member object associated with the authenticated Session.Will only be returned when remote JWT authentication occurs.

Show properties

organization_id

string

Globally unique UUID that identifies a specific Organization.

member_id

string

Globally unique UUID that identifies a specific Member.

external_id

string

The ID of the Member given by the identity provider.

email_address

string

The email address of the Member.

email_address_verified

boolean

Whether or not the Member’s email address is verified.

status

string

The status of the Member. The possible values are: pending, invited, active, or deleted.

name

string

The name of the Member.

sso_registration

object[]

An array of registered SAML Connection or OIDC Connection objects the Member has authenticated with.

Show sso_registration properties

connection_id

string

Globally unique UUID that identifies a specific SSO connection_id for a Member.

registration_id

string

The unique ID of an SSO Registration.

external_id

string

The ID of the Member given by the identity provider.

sso_attributes

object

An object for storing SSO attributes brought over from the identity provider.

scim_registration

object

Sets whether the Member is enrolled in MFA.

Show sso_registration properties

connection_id

string

The id of the SCIM Connection.

registration_id

string

The unique ID of a SCIM Registration.

external_id

string

The ID of the Member given by the identity provider.

sso_attributes

object

An object for storing SCIM attributes brought over from the identity provider.

is_breakglass

boolean

Identifies the Member as a break glass user - someone who has permissions to authenticate into an Organization by bypassing the Organization’s settings.A break glass account is typically used for emergency purposes to gain access outside of normal authentication procedures. Refer to the Organization object and its auth_methods and allowed_auth_methods fields for more details.

member_password_id

string

Globally unique UUID that identifies a Member’s password.

oauth_registrations

object[]

A list of OAuth registrations for this Member.

Show oauth_registrations properties

provider_type

string

Denotes the OAuth identity provider that the user has authenticated with, e.g. Google, Microsoft, GitHub etc.

provider_subject

string

The unique identifier for the User within a given OAuth provider. Also commonly called the sub or “Subject field” in OAuth protocols.

profile_picture_url

string

If available, the profile_picture_url is a URL of the User’s profile picture set in the OAuth identity provider that the User has authenticated with, e.g. Google profile picture.

locale

string

If available, the locale is the Member’s locale set in the OAuth identity provider that the user has authenticated with.

member_oauth_registration_id

string

The unique ID of an OAuth registration.

mfa_enrolled

boolean

Sets whether the Member is enrolled in MFA.If true, the Member must complete an MFA step whenever they wish to log in to their Organization.If false, the Member only needs to complete an MFA step if the Organization’s MFA policy is set to REQUIRED_FOR_ALL.

mfa_phone_number

string

The Member’s phone number. A Member may only have one phone number.The phone number should be in E.164 format (i.e. +1XXXXXXXXXX).

mfa_phone_number_verified

boolean

Whether or not the Member’s phone number is verified.

retired_email_addresses

object[]

A list of retired email addresses for this Member. A previously active email address can be marked as retired in one of two ways:

It’s replaced with a new primary email address during an explicit Member update.
A new email address is surfaced by an OAuth, SAML or OIDC provider. In this case the new email address becomes the Member’s primary email address and the old primary email address is retired. A retired email address cannot be used by other Members in the same Organization. However, unlinking retired email addresses allows them to be subsequently re-used by other Organization Members. Retired email addresses can be unlinked using the Unlink Retired Email endpoint.

Show properties

email_id

string

The globally unique UUID of a Member’s email.

email_address

string

The email address of the Member.

trusted_metadata

object

An arbitrary JSON object for storing application-specific data or identity-provider-specific data.

untrusted_metadata

object

An arbitrary JSON object of application-specific data. These fields can be edited directly by the frontend SDK, and should not be used to store critical information. See the Metadata resource for complete field behavior details.

roles

object[]

Explicit or implicit Roles assigned to this Member, along with details about the role assignment source. See the RBAC guide for more information about role assignment.

Show roles properties

role_id

string

The unique identifier of the RBAC Role, provided by the developer and intended to be human-readable.Reserved role_ids that are predefined by Stytch include:

stytch_member
stytch_admin

Check out the guide on Stytch default Roles for a more detailed explanation.

sources

object[]

A list of sources for this role assignment. A role assignment can come from multiple sources - for example, the Role could be both explicitly assigned and implicitly granted from the Member’s email domain.

Show sources properties

type

string

The type of role assignment. The possible values are:

direct_assignment – an explicitly assigned Role. Directly assigned roles can be updated by passing in the roles argument to the Update Member endpoint.
email_assignment – an implicit Role granted by the Member’s email domain, regardless of their login method. Email implicit role assignments can be updated by passing in the rbac_email_implicit_role_assignments argument to the Update Organization endpoint.
sso_connection – an implicit Role granted by the Member’s SSO connection. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the Role if their session contains an authentication factor with the specified SAML connection. SAML connection implicit role assignments can be updated by passing in the saml_connection_implicit_role_assignments argument to the Update SAML connection endpoint.
sso_connection_group – an implicit Role granted by the Member’s SSO connection and group. This is currently only available for SAML connections and not for OIDC. If the Member has a SAML Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. However, for authorization check purposes (in sessions authenticate or in any endpoint that enforces RBAC with session headers), the Member will only be granted the role if their session contains an authentication factor with the specified SAML connection.
scim_connection_group – an implicit Role granted by the Member’s SCIM connection and group. If the Member has a SCIM Member registration with the given connection, and belongs to a specific group within the IdP, this role assignment will appear in the list. SCIM group implicit role assignments can be updated by passing in the scim_group_implicit_role_assignments argument to the Update SCIM connection endpoint.

details

object

An object containing additional metadata about the source assignment. The fields will vary depending on the role assignment type as follows:

direct_assignment – no additional details.
email_assignment – will contain the email domain that granted the assignment.
sso_connection – will contain the connection_id of the SAML connection that granted the assignment.
sso_connection_group – will contain the connection_id of the SAML connection and the name of the group that granted the assignment.
scim_connection_group – will contain the connection_id of the SAML connection and the group_id that granted the assignment.

is_admin

boolean

Whether or not the Member has the stytch_admin Role. This Role is automatically granted to Members who create an Organization through the discovery flow. See the RBAC guide for more details on this Role.

created_at

string

The date and time the Member was created.

updated_at

string

The date and time the Member was last updated.

organization

object

The Organization object associated with the authenticated Session.Will only be returned when remote JWT authentication occurs.

Show properties

organization_id

string

Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.

organization_name

string

The name of the Organization. Must be between 1 and 128 characters in length.

organization_logo_url

string

The image URL of the Organization logo.

organization_slug

string

The unique URL slug of the Organization.The slug only accepts alphanumeric characters and the following reserved characters: - . _ ~. Must be between 2 and 128 characters in length.Wherever an organization_id is expected in a path or request parameter, you may also use the organization_slug as a convenience.

sso_active_connections

array[objects]

An array of active SAML Connection references or OIDC Connection references.

Show sso_active_connections properties

connection_id

string

Globally unique UUID that identifies a specific SSO connection_id for a Member.

display_name

string

A human-readable display name for the connection.

email_allowed_domains

array[strings]

An array of email domains that allow invites or JIT provisioning for new Members. This list is enforced when either email_invites or email_jit_provisioning is set to RESTRICTEDCommon domains such as gmail.com are not allowed. See the full list of disallowed common email domains.

email_jit_provisioning

string

The authentication setting that controls how a new Member can be provisioned by authenticating via Email Magic Link or OAuth. The accepted values are:

RESTRICTED – only new Members with verified emails that comply with email_allowed_domains can be provisioned upon authentication via Email Magic Link or OAuth
NOT_ALLOWED – the default setting, disables JIT provisioning via Email Magic Link and OAuth

auth_methods

string

The setting that controls which authentication methods can be used by Members of an Organization. The accepted values are:

ALL_ALLOWED – the default setting which allows all authentication methods to be used
RESTRICTED – only methods that comply with allowed_auth_methods can be used for authentication. This setting does not apply to Members with is_breakglass set to true

allowed_auth_methods

array[strings]

An array of allowed authentication methods. This list is enforced when auth_methods is set to RESTRICTED. The list’s accepted values are: sso, magic_link, email_otp, password, google_oauth, microsoft_oauth, slack_oauth, github_oauth, and hubspot_oauth.

sso_default_connection_id

string

The default connection used for SSO when there are multiple active connections.

oauth_tenant_jit_provisioning

string

The authentication setting that controls how a new Member can JIT provision into an Organization by tenant. The accepted values are:

RESTRICTED – only new Members with tenants in allowed_oauth_tenants can JIT provision via tenant
NOT_ALLOWED – the default setting, disables JIT provisioning by OAuth Tenant

allowed_oauth_tenants

object

A map of allowed OAuth tenants. If this field is not passed in, the Organization will not allow JIT provisioning by OAuth Tenant. Allowed keys are “slack”, “hubspot”, and “github”.

verdict

object

If an authorization_check is provided in the request and the check succeeds, this field will return information about why the Member was granted permission.

Show properties

verdict.authorized

boolean

required

Whether the Member was authorized to perform the specified action on the specified Resource. Always true if the request succeeds.

verdict.granting_roles

string[]

required

The complete list of Roles that gave the Member permission to perform the specified action on the specified Resource.

status_code

number

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

request_id

string

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

​Local JWT validation

​Authorization

​Request Parameters

​Response

Local JWT validation

Authorization

Request Parameters

Response