Skip to main content
POST
/
v1
/
sessions
/
authenticate
Authenticate
curl --request POST \
  --url https://api.stytch.com/v1/sessions/authenticate \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "session_token": "<string>",
  "session_duration_minutes": 123,
  "session_jwt": "<string>",
  "session_custom_claims": {},
  "authorization_check": {
    "resource_id": "<string>",
    "action": "<string>"
  }
}
'
{
  "request_id": "<string>",
  "session": {
    "session_id": "<string>",
    "user_id": "<string>",
    "authentication_factors": [
      {
        "type": "magic_link",
        "delivery_method": "email",
        "last_authenticated_at": "<string>",
        "created_at": "<string>",
        "updated_at": "<string>",
        "email_factor": {
          "email_id": "<string>",
          "email_address": "<string>"
        },
        "phone_number_factor": {
          "phone_id": "<string>",
          "phone_number": "<string>"
        },
        "google_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "microsoft_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "apple_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "webauthn_factor": {
          "webauthn_registration_id": "<string>",
          "domain": "<string>",
          "user_agent": "<string>"
        },
        "authenticator_app_factor": {
          "totp_id": "<string>"
        },
        "github_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "recovery_code_factor": {
          "totp_recovery_code_id": "<string>"
        },
        "facebook_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "crypto_wallet_factor": {
          "crypto_wallet_id": "<string>",
          "crypto_wallet_address": "<string>",
          "crypto_wallet_type": "<string>"
        },
        "amazon_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "bitbucket_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "coinbase_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "discord_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "figma_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "git_lab_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "instagram_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "linked_in_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "shopify_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "slack_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "snapchat_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "spotify_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "steam_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "tik_tok_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "twitch_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "twitter_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "embeddable_magic_link_factor": {
          "embedded_id": "<string>"
        },
        "biometric_factor": {
          "biometric_registration_id": "<string>"
        },
        "saml_sso_factor": {
          "id": "<string>",
          "provider_id": "<string>",
          "external_id": "<string>"
        },
        "oidc_sso_factor": {
          "id": "<string>",
          "provider_id": "<string>",
          "external_id": "<string>"
        },
        "salesforce_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "yahoo_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "hubspot_oauth_factor": {
          "id": "<string>",
          "provider_subject": "<string>",
          "email_id": "<string>"
        },
        "slack_oauth_exchange_factor": {
          "email_id": "<string>"
        },
        "hubspot_oauth_exchange_factor": {
          "email_id": "<string>"
        },
        "github_oauth_exchange_factor": {
          "email_id": "<string>"
        },
        "google_oauth_exchange_factor": {
          "email_id": "<string>"
        },
        "impersonated_factor": {
          "impersonator_id": "<string>",
          "impersonator_email_address": "<string>"
        },
        "oauth_access_token_exchange_factor": {
          "client_id": "<string>"
        },
        "trusted_auth_token_factor": {
          "token_id": "<string>"
        }
      }
    ],
    "roles": [
      "<string>"
    ],
    "started_at": "<string>",
    "last_accessed_at": "<string>",
    "expires_at": "<string>",
    "attributes": {
      "ip_address": "<string>",
      "user_agent": "<string>"
    },
    "custom_claims": {}
  },
  "session_token": "<string>",
  "session_jwt": "<string>",
  "user": {
    "user_id": "<string>",
    "emails": [
      {
        "email_id": "<string>",
        "email": "<string>",
        "verified": true
      }
    ],
    "status": "<string>",
    "phone_numbers": [
      {
        "phone_id": "<string>",
        "phone_number": "<string>",
        "verified": true
      }
    ],
    "webauthn_registrations": [
      {
        "webauthn_registration_id": "<string>",
        "domain": "<string>",
        "user_agent": "<string>",
        "verified": true,
        "authenticator_type": "<string>",
        "name": "<string>"
      }
    ],
    "providers": [
      {
        "provider_type": "<string>",
        "provider_subject": "<string>",
        "profile_picture_url": "<string>",
        "locale": "<string>",
        "oauth_user_registration_id": "<string>"
      }
    ],
    "totps": [
      {
        "totp_id": "<string>",
        "verified": true
      }
    ],
    "crypto_wallets": [
      {
        "crypto_wallet_id": "<string>",
        "crypto_wallet_address": "<string>",
        "crypto_wallet_type": "<string>",
        "verified": true
      }
    ],
    "biometric_registrations": [
      {
        "biometric_registration_id": "<string>",
        "verified": true
      }
    ],
    "is_locked": true,
    "roles": [
      "<string>"
    ],
    "name": {
      "first_name": "<string>",
      "middle_name": "<string>",
      "last_name": "<string>"
    },
    "created_at": "<string>",
    "password": {
      "password_id": "<string>",
      "requires_reset": true
    },
    "trusted_metadata": {},
    "untrusted_metadata": {},
    "external_id": "<string>",
    "lock_created_at": "<string>",
    "lock_expires_at": "<string>"
  },
  "status_code": 123,
  "verdict": {
    "authorized": true,
    "granting_roles": [
      "<string>"
    ]
  }
}
Authenticate a session token or session JWT and retrieve associated session data. If session_duration_minutes is included, update the lifetime of the session to be that many minutes from now. All timestamps are formatted according to the RFC 3339 standard and are expressed in UTC, e.g. 2021-12-29T12:33:09Z. This endpoint requires exactly one session_jwt or session_token as part of the request. If both are included, you will receive a too_many_session_arguments error. You may provide a JWT that needs to be refreshed and is expired according to its exp claim. A new JWT will be returned if both the signature and the underlying Session are still valid. See our sessions guides for more information.

Authorizations

Authorization
string
header
required

Basic authentication header of the form Basic <encoded-value>, where <encoded-value> is the base64-encoded string username:password.

Body

application/json

Request type

session_token
string

The session token to authenticate.

session_duration_minutes
integer<int32>

Set the session lifetime to be this many minutes from now; minimum of 5 and a maximum of 527040 minutes (366 days). Note that a successful authentication will continue to extend the session this many minutes.

session_jwt
string

The JWT to authenticate. You may provide a JWT that has expired according to its exp claim and needs to be refreshed. If the signature is valid and the underlying session is still active then Stytch will return a new JWT.

session_custom_claims
object

Add a custom claims map to the Session being authenticated. Claims are only created if a Session is initialized by providing a value in session_duration_minutes. Claims will be included on the Session object and in the JWT. To update a key in an existing Session, supply a new value. To delete a key, supply a null value.

Custom claims made with reserved claims ("iss", "sub", "aud", "exp", "nbf", "iat", "jti") will be ignored. Total custom claims size cannot exceed four kilobytes.

authorization_check
object

If an authorization_check object is passed in, this endpoint will also check if the User is authorized to perform the given action on the given Resource. A User is authorized if they are assigned a Role with adequate permissions.

If the User is not authorized to perform the specified action on the specified Resource, a 403 error will be thrown. Otherwise, the response will contain a list of Roles that satisfied the authorization check.

Response

Successful response

request_id
string
required

Globally unique UUID that is returned with every API call. This value is important to log for debugging purposes; we may ask for this value to help identify a specific API call when helping you debug an issue.

session
object
required

If you initiate a Session, by including session_duration_minutes in your authenticate call, you'll receive a full Session object in the response.

See Session object for complete response fields.

session_token
string
required

A secret token for a given Stytch Session.

session_jwt
string
required

The JSON Web Token (JWT) for a given Stytch Session.

user
object
required

The user object affected by this API call. See the Get user endpoint for complete response field details.

status_code
integer<int32>
required

The HTTP status code of the response. Stytch follows standard HTTP response status code patterns, e.g. 2XX values equate to success, 3XX values are redirects, 4XX are client errors, and 5XX are server errors.

verdict
object

If an authorization_check is provided in the request and the check succeeds, this field will return information about why the User was granted permission.