When building custom Login UI with Session API, what to store in the client browser?
After Update session with user password https://zitadel.com/docs/guides/integrate/login-ui/username-password#update-session-with-password
Is this mean I can store the Session ID in the user's cookie? is the session ID are designed for that?
After user successfully login with session api? what kind of user token I can use to authn my API?
ZITADEL Docs
Flow
3 Replies
Hi @Loss A Bike, I'm an AI assistant for ZITADEL. While a team member reviews this question, I'll see if I can find relevant sources for your question.
Answer
You should store the session token (not just the session ID) in the user's cookie if you want to track authenticated sessions with the ZITADEL Session API. The session token is an opaque value returned after login or session update, and it is required for authenticating further requests and retrieving session/user info (1) . The session ID alone is not sufficient for authentication—always use the session token from the most recent response.
After a user logs in with the Session API, you use the session token (not an OIDC/JWT access token) to authenticate API calls that need to verify the user's session or retrieve session/user details. The session token is not an OIDC/JWT token and cannot be used on endpoints that expect standard OIDC tokens (1) (2) .
To learn more, see the sources I considered:
[1] Register and Login User with Password in a Custom Login UI
[2] How to use the session token to obtain user info? (custom login ui)
Feel free to tag @Ask Inkeep with additional questions.
where can I read more about session token @Ask Inkeep
Thanks for the follow-up, @Loss A Bike. I'll get back to you soon.
Answer
I wasn't able to find a direct answer, here are some relevant sources:
1. Log users into your application with different authentication options :
Explains what a session token is, how it differs from OIDC/JWT tokens, and outlines how to use the Session API for authentication. 2. Session Service :
Provides technical documentation for the Session API, including endpoints and authentication details. Feel free to tag @Ask Inkeep with additional questions.
Explains what a session token is, how it differs from OIDC/JWT tokens, and outlines how to use the Session API for authentication. 2. Session Service :
Provides technical documentation for the Session API, including endpoints and authentication details. Feel free to tag @Ask Inkeep with additional questions.