Authenticate Session
Authenticates a Session with a session_jwt or session_token
session_duration_minutes. If the session_duration_minutes is not specified, the Session will not be extended.
This endpoint requires either a session_jwt or session_token be included in the request. It will return an error if both are present.
Authenticating JWTs
In most cases, you should use theauthenticateJwt method to authenticate a , as it will authenticate the JWT locally when possible. authenticateSession will always communicate with the Stytch API to authenticate the session, even if a session_jwt is provided, and will never validate JWTs locally.
We recommend using this method in situations where you’d prefer to force communication with the Stytch API in order to authenticate the session; for example, before taking particularly sensitive actions or returning particularly sensitive data, or when you need to update the session’s custom claims (via the session_custom_claims parameter).
You may provide a JWT that needs to be refreshed and is expired according to its exp claim. A new JWT will be returned if both the signature and the underlying Session are still valid. See our JWT guides for more information.
Authorization
If anauthorization_check is passed in, this method will also check if the is authorized to perform the given action on the given Resource in the specified . A Member is authorized if:
- their Member Session contains a Role, assigned explicitly or implicitly, with adequate permissions.
- the
organization_idpassed in the authorization check matches Member Session’s Organization.
403 error will be thrown. Otherwise, the response will contain a list of Roles that satisfied the authorization check.Authorizations
Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.
Body
Request type
A secret token for a given Stytch Session.
Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of
five minutes regardless of the underlying session duration, and will need to be refreshed over time.
This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.
If the session_duration_minutes parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want
to use the Stytch session product, you can ignore the session fields in the response.
The JSON Web Token (JWT) for a given Stytch Session.
Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in
session_duration_minutes. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To
delete a key, supply a null value. Custom claims made with reserved claims (iss, sub, aud, exp, nbf, iat, jti) will be ignored.
Total custom claims size cannot exceed four kilobytes.
If an authorization_check object is passed in, this endpoint will also check if the Member is
authorized to perform the given action on the given Resource in the specified Organization. A Member is authorized if
their Member Session contains a Role, assigned
explicitly or implicitly, with adequate permissions.
In addition, the organization_id passed in the authorization check must match the Member's Organization.
The Roles on the Member Session may differ from the Roles you see on the Member object - Roles that are implicitly assigned by SSO connection or SSO group will only be valid for a Member Session if there is at least one authentication factor on the Member Session from the specified SSO connection.
If the Member is not authorized to perform the specified action on the specified Resource, or if the
organization_id does not match the Member's Organization, a 403 error will be thrown.
Otherwise, the response will contain a list of Roles that satisfied the authorization check.
Response
Successful response
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
The Session object.
A secret token for a given Stytch Session.
The JSON Web Token (JWT) for a given Stytch Session.
The Member object
The Organization object.
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
If an authorization_check is provided in the request and the check succeeds, this field will return
information about why the Member was granted permission.