Exchange Session
Exchange an intermediate session token for a full Member Session
member_authenticated: true with a session_token and session_jwt.
If the user has not satisfied the primary or secondary authentication requirements of the Organization they are attempting to switch into, this API will return member_authenticated: false and an intermediate_session_token.
Handling authentication requirements
Ifprimary_required is set, prompt the user to fulfill the Organization’s auth requirements using the options returned in primary_required.allowed_auth_methods.
If primary_required is null and mfa_required is set, check mfa_required.member_options to determine if the Member has SMS OTP or TOTP set up for MFA and prompt accordingly. If the Member has SMS OTP, check mfa_required.secondary_auth_initiated to see if the OTP has already been sent.
Include the intermediate_session_token returned above when calling the authenticate() method that the user needed to perform. Once the user has completed the authentication requirements they were missing, they will be granted a full session_token and session_jwt to indicate they have successfully logged into the Organization.
The intermediate_session_token can also be used with the Exchange Intermediate Session endpoint or the Create Organization via Discovery endpoint to join a different Organization or create a new one.Authorizations
Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.
Body
Request type
Globally unique UUID that identifies a specific Organization. The organization_id is critical to perform operations on an Organization, so be sure to preserve this value. You may also use the organization_slug or organization_external_id here as a convenience.
The session_token belonging to the member that you wish to associate the email with.
The session_jwt belonging to the member that you wish to associate the email with.
Set the session lifetime to be this many minutes from now. This will start a new session if one doesn't already exist,
returning both an opaque session_token and session_jwt for this session. Remember that the session_jwt will have a fixed lifetime of
five minutes regardless of the underlying session duration, and will need to be refreshed over time.
This value must be a minimum of 5 and a maximum of 527040 minutes (366 days).
If a session_token or session_jwt is provided then a successful authentication will continue to extend the session this many minutes.
If the session_duration_minutes parameter is not specified, a Stytch session will be created with a 60 minute duration. If you don't want
to use the Stytch session product, you can ignore the session fields in the response.
Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in
session_duration_minutes. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To
delete a key, supply a null value. Custom claims made with reserved claims (iss, sub, aud, exp, nbf, iat, jti) will be ignored.
Total custom claims size cannot exceed four kilobytes.
If the Member needs to complete an MFA step, and the Member has a phone number, this endpoint will pre-emptively send a one-time passcode (OTP) to the Member's phone number. The locale argument will be used to determine which language to use when sending the passcode.
Parameter is an IETF BCP 47 language tag, e.g. "en".
Currently supported languages are English ("en"), Spanish ("es"), and Brazilian Portuguese ("pt-br"); if no value is provided, the copy defaults to English.
Request support for additional languages here!
en, es, pt-br, fr, it, de-DE, zh-Hans, ca-ES If the telemetry_id is passed, as part of this request, Stytch will call the Fingerprint Lookup API and store the associated fingerprints and IPGEO information for the Member. Your workspace must be enabled for Device Fingerprinting to use this feature.
Response
Successful response
Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.
Globally unique UUID that identifies a specific Member.
A secret token for a given Stytch Session.
The JSON Web Token (JWT) for a given Stytch Session.
The Member object
The Organization object.
Indicates whether the Member is fully authenticated. If false, the Member needs to complete an MFA step to log in to the Organization.
The returned Intermediate Session Token contains any Email Magic Link or OAuth factors from the original member session that are valid for the target Organization. If this value is non-empty, the member must complete an MFA step to finish logging in to the Organization. The token can be used with the OTP SMS Authenticate endpoint, TOTP Authenticate endpoint, or Recovery Codes Recover endpoint to complete an MFA flow and log in to the Organization. The token has a default expiry of 10 minutes. It can also be used with the Exchange Intermediate Session endpoint to join a specific Organization that allows the factors represented by the intermediate session token; or the Create Organization via Discovery endpoint to create a new Organization and Member. Intermediate Session Tokens have a default expiry of 10 minutes.
The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.
The Session object.
Information about the MFA requirements of the Organization and the Member's options for fulfilling MFA.
Information about the primary authentication requirements of the Organization.
If a valid telemetry_id was passed in the request and the Fingerprint Lookup API returned results, the member_device response field will contain information about the member's device attributes.