My background is primarily in OIDC so I’m less familiar with the paradigms of your service. The thing I can’t quite wrap my head around currently is how backend APIs are supposed to integrate with the service.
Let’s assume that we have a backend API and frontend app. What should the frontend pass the backend app? Should it be the magic token from the email? Would the backend then call v1/magic_links/authenticate to get the user ID and verify that the token is valid?
In OIDC I would configure the backend to verify the JWT with JWKS from the IDP. And to test it I would use a client credentials flow.
Hey Jonathan – thanks for posting!
What should the frontend pass the backend app? Should it be the magic token from the email? Would the backend then call v1/magic_links/authenticate to get the user ID and verify that the token is valid?
That’s exactly right! Your frontend will receive the Magic Link token as a query parameter, at which point you can pass it to your backend and call the backend /magic_links/authenticate endpoint in order to verify that the token is valid. You may find this diagram of our Email Magic Links flow helpful as well, for reference.
I’ll also note that we do have frontend SDKs available as well, if you prefer a primarily frontend flow. Both options are valid, and just depend on your preferences and use case.
Please let us know if you have any additional questions about this, or if any questions arise while integrating, and we’ll be happy to help!
I don’t know if that is quite what I’m after. If the API calls authenticate the magic token cannot be used again. I’ll try and expand my example a little.
Let’s say we have a backend API with a single endpoint: GET /cats. This endpoint returns every cat a given user has access to. In order to figure out what cats the user has access to we need to know the ID of the user. In OIDC that ID would come in the sub claim along with everything else I need to verify that the that the user is who they say they are.
With Stytch I could call the authenticate endpoint for a magic link to get the ID and filter down the cats, but then that magic link is used up. It wouldn’t make sense for to get a magic token before every API call.
Got it – I think what you may be looking for is our Sessions product.
If you specify the session_duration_minutes parameter when calling any of our /authenticate endpoints (for example, /magic_links/authenticate), a Stytch session will be created. You will receive a session object along with session_jwt and session_token values that you can then use to interact with our Sessions endpoints.
You can use our Sessions endpoints to repeatedly retrieve the user’s user_id (and other data, such as which authentication factors they’ve used and when) as long as the session is still valid.
I’d recommend reading through our Sessions docs to see if that addresses your use case. We’ll be happy to help with any follow-up questions!