Token Auth
Token-based authentication is the recommended way to authenticate users in your applications with Authgate.
It is a two-step process:
- Login: Your app sends user credentials (username/password or license code) to Authgate once
- Use Token: Authgate returns a session token that your app uses for all future requests
Think of it like checking in at a hotel. You prove who you are once at the reception. Then you walk around with your room key.
Sessions expire after 5 minutes. The API clients automatically retrieve a new token when the old one expires.
How to Use It
Use TokenAuthStrategy in your application. For complete implementation examples, see the SDK documentation.
How It Works Behind the Scenes
When you call client.login():
- The API client sends your user’s credentials to the
/auth/loginendpoint - Authgate validates the credentials and creates a session
- Authgate returns a session token (a long random string)
- The API client stores this token in memory
- For every request, the client sends the token in the
Authorization: Bearer <token>header
If the token expires (401 error), the API client automatically:
- Uses your stored credentials to get a new token
- Retries the failed request with the new token
- All of this happens in the background!
Disabling Token Auth
Token Auth is more secure than Legacy Auth because credentials are only sent once during login, not with every request. It is on by default.
If for any reason you need to disable it, you can do so in the application settings in the Authgate dashboard.
Important Notes
- Store Credentials Securely: Even though tokens are used for requests, your app needs to store the original credentials to refresh tokens
- One Application: Tokens are tied to your application - you can’t use a token from one app in another