Account Kit Access Tokens and Authorization Codes for Android and iOS
For Android and iOS apps, authentication works in one of two ways:
- By access tokens
- By authorization code
Note that the JS SDK for web supports only authorization codes.
In your app's dashboard, there is a switch labeled Enable Client Access Token Flow. When that switch is ON, your client application will (after a successful login) directly receive a long-lived access token, which it is then responsible for securely passing to your server to be used in API calls.
When the Enable Client Access Token Flow switch is OFF, your client application will (after a successful login) receive a short-lived authorization code, which it is then responsible for securely passing to your server. Your server may then use the code to retrieve an access token, which may be subsequently used for API calls. This flow is offered as threat mitigation for cases where an attacker might attempt to impersonate your client application, or otherwise intercept the long-lived API access token. It is up to you whether your threat model and the value of your data warrant the extra steps necessary to enable this flow. It is also the developer's responsibility to ensure an appropriate level of security between the client app and their own servers.
An access token returned from the SDK allows you to verify the authenticity of a user's identity on the server side when processing requests for your application.
- A successful login creates an Account ID and an associated access token.
- The access token can be used to access Account Kit REST APIs.
- You should pass the access token to your application's server to verify the user's identity.
An authorization code returned from the SDK is intended to be passed to your server, which exchanges it for an access token.
- A successful login creates an account, and passes back an associated authorization code.
- The authorization code should be passed to your application's server, which may then use the code to retrieve an access token.
- Your application's server may then use the access token to verify the user's identity for subsequent API calls.
It's a good practice to include the access token with every server request to your application and to verify the user ID from the token and not directly from the client. This helps protect your application from unauthorized uses.
Learn more about how access tokens and authorization codes are used with the Account Kit API, see the "Access Tokens" section of Using the Graph API.