When building custom Login UI with Session API, what to store in the client browser?
After Update session with user password https://zitadel.com/docs/guides/integrate/login-ui/username-password#update-session-with-password
Is this mean I can store the Session ID in the user's cookie? is the session ID are designed for that?
After user successfully login with session api? what kind of user token I can use to authn my API?
ZITADEL Docs
Flow
9 Replies
Hi @Loss A Bike, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
You should store the session token (not just the session ID) in the user's cookie if you want to track authenticated sessions with the ZITADEL Session API. The session token is an opaque value returned after login or session update, and it is required for authenticating further requests and retrieving session/user info (1) . The session ID alone is not sufficient for authentication—always use the session token from the most recent response.
After a user logs in with the Session API, you use the session token (not an OIDC/JWT access token) to authenticate API calls that need to verify the user's session or retrieve session/user details. The session token is not an OIDC/JWT token and cannot be used on endpoints that expect standard OIDC tokens (1) (2) .
To learn more, see the sources I considered:
[1] Register and Login User with Password in a Custom Login UI
[2] How to use the session token to obtain user info? (custom login ui)
Feel free to tag @Ask Inkeep with additional questions.
where can I read more about session token @Ask Inkeep
Thanks for the follow-up, @Loss A Bike. I'll get back to you soon.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Log users into your application with different authentication options :
Explains what a session token is, how it differs from OIDC/JWT tokens, and outlines how to use the Session API for authentication. 2. Session Service :
Provides technical documentation for the Session API, including endpoints and authentication details. Feel free to tag @Ask Inkeep with additional questions.
Explains what a session token is, how it differs from OIDC/JWT tokens, and outlines how to use the Session API for authentication. 2. Session Service :
Provides technical documentation for the Session API, including endpoints and authentication details. Feel free to tag @Ask Inkeep with additional questions.
hey @Loss A Bike first of all welcome to the erver 🙂
I will help you here.
ater you finish the password check ZITADEL returns a session token. That token is opaque and short-lived (and meant to be kept server-side.
When you need to call your API, exchange the session-token for OAuth tokens with
/oauth/v2/token
You get back a JWT access-token + refresh-token pair, those are what you actually send to your services/apis.OK thank you so much @Rajat
Haha the AI need to be updated 🤦♂️
no worries 🙂 you can mark my answer with ✅ and it will auto close this thread
🎉 Looks like you just helped out another community member! Thanks for being so helpful <@1346540274674827395>! You're now one step closer to leveling up—keep up the amazing peer support! 🚀
Hi @Rajat , can you point me to the document of
/oauth/v2/token endpoint?I'm chekcing this https://zitadel.com/docs/apis/openidoauth/endpoints#token_endpoint but I not sure how to use session token as the input for this one
ZITADEL Docs
OpenID Connect 1.0 Discovery