We have a use case where we want to create a session for a user without them logging in (we need a signed JWT which we can then use to interact with our services masquerading as that user). Looking through your API this doesn’t seem possible, am I missing something? Or do I need to manage my own key set to sign this type of token…
Hey Joel!
You are correct - we don’t currently support auth-less session creation or generation, although we have heard this feedback as a way to ease testing and migrating.
Could you help me understand your use case? I can definitely relay this feedback to our team too.
Best,
Chaeyoon
Stytch Developer Success
Hi Chaeyoon,
The use case here is for a more complex auth mechanism where admins may want to masquerade as other users. This allows them to take actions on their behalf and help the users understand what they are seeing.
I understand that allowing us to create sessions as we need opens another avenue for security risks, but maybe as an advanced feature to help here and for the points you mentioned.
Hey Joel,
Thanks for providing the context! This makes sense and I’ve passed this along to our product team as an ongoing feature request for user impersonation.
As a workaround, we do offer an Embeddable Magic Link endpoint that we’ve seen some customers leverage for this purpose in the past. Using that endpoint, you can retrieve a Magic Link token by passing in a user_id, and then authenticate the resulting token to create a session for that user. We do want you to be aware that if you implement it incorrectly and don’t properly handle the token, it could be a security risk.
If that’s something you’re interested in, we’ll just need to enable the endpoint for your project. Let me know and I can enable it for you!
Best,
Chaeyoon
Stytch Developer Success
Hi Chaeyoon,
If we could have that endpoint enabled that would be appreciated, thank you!
Hey Joel,
Sure thing - would you mind just sending us an email at support@stytch.com to get enabled?
Thanks!
@chaeyoon-stytch Is this embeddable magic link api available for B2B applications? Or only in the consumer api? I see the docs here for the consumer side but I don’t see an equivalent in B2B