Authorization and Okto Auth

Learn about authorization in Okto and Okto Auth Token

Authorization in Okto SDK

Authorization in Okto SDK revolves around the Okto Auth Token, a secure credential used to authenticate and authorize requests from your application to Okto services. Understanding how Okto Auth Tokens are generated, formatted, and verified is crucial for building secure Okto-powered Web3 applications.

What is an Okto Auth Token?

The Okto Auth Token is central to how Okto manages authentication and authorization. Whenever a user logs in to your application (whether by email, social login, or external wallet signature), Okto issues a JSON Web Token (JWT)—that encodes key information about the user and the specific client (your app).

Essentially, the Okto Auth Token is a unique JWT generated by Okto, combining:

  • User's login credentials
  • Client API Key
  • Session Data

Note

Okto Auth Tokens are valid for 7 days.

Okto SDK uses the Auth token to:

  • Verify Application Identity: Ensures requests are originating from your authorized application (identified by your API Key).
  • Authenticate User Sessions: Confirms that the user interacting with your application is authenticated and has an active session.
  • Authorize Access to Resources: Controls access to Okto's backend services and user-specific data based on the token's validity and permissions.

How the Okto Auth Token is Generated

  1. User Initiates Login: The user can log in via social login or via external wallet connection.

  2. Okto Validates Credentials: Okto checks credentials against your application’s configuration, verifying the user’s identity and your API key.

  3. Token Minted: If the login is successful, Okto issues an Auth Token.

  4. Token Delivered: The token is returned to your front end (or wherever you initiated the login), so you can use it to make subsequent calls or maintain the user’s session.

Note

You typically won’t handle token signing/verification details yourself; Okto handles it under the hood. However, you can inspect or verify the token in detail if needed.

Okto Auth Token Verification

For debugging or understanding the token's contents, you can manually verify the Okto Auth Token using online JWT decoders like jwt.io.

  1. Copy the Okto Auth Token string.
  2. Go to jwt.io.
  3. Paste the token into the "Encoded" text area.
  4. jwt.io will decode the token, displaying the Header, Payload, and Signature.
  5. Check the Payload section for relevant claims:
    • exp (Expiration Time): Verify the token's expiration time to ensure it's still valid.
    • User identifiers, application identifiers: User details like email.

Managing Expired Auth Tokens

When an Okto Token expires, subsequent API requests using that token will fail. Okto SDK provides mechanisms to help you handle token expiration.


Next Steps

Learn more about authentication methods and session management:

On this page