Access Token cSpell:ignore multi-authentication-accesstoken
An Auth Token will always need to be exchanged for an Access Token, even in the case of a simple login. However, there are some specific use cases that are enabled by handling Access Tokens:
1. Root Users being linked to multiple identities using the same set of credentials (username+password)
For Root Users linked to multiple identities the tokens are used as follows :
POST Login with password – an Auth Token is returned in the response and can only be used for the following endpoints:
In order to receive an Access Token for the intended identity, the identity must be specified in the call to ‘POST Acquire a new access token’.
2. Biometrics
For Enrolment via biometrics the tokens are used as follows :
POST Login with password - an Auth Token is returned in the response and can only be used for the following endpoints:
The Auth Token needs to be exchanged for an Access Token. If the user is only linked to one identity, then identity in the request is optional. The Access Token can then be used in POST Enrol a user device for authentication using push notifications. A push notification is sent to the user, they provide consent via the embedded SDK, and the active Access Token is stepped up.
For Login via Biometrics the tokens are used as follows
The login via biometrics screen is initiated via the SDK, and the login is completed successfully by the end-User. The token that is provided via webhook will be an Auth Token, that can only be used for the following endpoints:
The Auth Token needs to be exchanged for an Access Token for use elsewhere in the system. In this scenario, when requesting the Access Token, if the user is only linked to one identity, then identity is optional in the request, and an Access Token for the identity will still be returned. The Access Token that is returned will already be stepped-up.