Credentials are tightly associated with Users. All Users have one or more associated Credentials.
The allowed types of credentials depend on the user_type
of the User.
Field | Value | Req/Default | Notes |
---|---|---|---|
id |
id | Auto-generated | Credential’s ID. Always starts with “crd_”. Example: |
user_id |
user_id | Required | ID of User this Credential belongs to. |
credential_type |
api_key ,facebook ,github ,google ,linkedin ,oauth2 ,password ,slack ,totp ,yahoo |
Required | |
request |
hash | Hash of request attributes to add to Event. See notes. |
|
|
|||
password |
string | Required |
|
password_confirmation |
string | Optional |
|
|
|||
api_key |
string | Optional |
|
‘totp’ only: |
|||
auth_provider_id |
auth_provider_id | Auth Provider's ID. | |
name |
string | Required | Name of the TOTP device, eg: 'iPhone X'. |
otp_secret |
string | Auto-generated | The secret used to seed the TOTP device; only when |
provisioning_uri |
uri | Auto-generated | Standardized URI used to create QRCodes for TOTP device self-provisioning; only when |
state |
active ,new |
new |
TOTP credentials must be verified once prior to being used for logins. |
Social providers: |
|||
auth_provider_id |
auth_provider_id | Auth Provider's ID. | |
provider_user_id |
string | External provider's Unique ID for this user. | |
access_token |
string | Access token for this user. | |
token_expires_at |
time_t | Expiration time of |
password_confirmation
is optional when setting/updating a password. If included, it must match password
. If not included, the confirmation check is bypassed.
To auto-generate a new API key, set api_key
to ‘generate’. When creating a new API key, api_key
will also be auto-generated if left blank.
Auto-generated API keys are automatically prefixed with Realm.api_key_prefix, if set. Manually assigned API keys are not auto-prefixed.
API keys can be stored hashed or encrypted. See Realm.api_key_policy for details.
When Realm.api_key_policy is hash
, the api_key
attribute is only returned when the credential is created or changed (and is then flushed from memory). When Realm.api_key_policy is encrypt
, api_key
is decrypted and returned every time.
When setting your own value for api_key
, please be very careful to use only lengthy, high-entropy keys. If you’re not sure what this means, we strongly urge you to use automatically generated keys instead.
Credentials for social providers are generally handled automatically by LoginRocket or when using the Auth Provider Authenticate with a Token method.
The only method sometimes used with social providers is Delete a Credential.
When migrating existing data to AuthRocket, Create a Credential may be useful. However, you can also skip this and let AuthRocket automatically create the credentials based on matching email addresses.
Method | Permissions |
---|---|
Get | read |
Create, Update, Verify, Delete | write |
To retrieve all credentials for a user, use Get a User.
Retrieve a specific credential.
GET /v1/credentials/:credential_id
$res = $client->credentials()->find('crd_0v1zUpWdE4IiFc2w5ynShf');
AuthRocket::Credential.find 'crd_0v1zUpWdE4IiFc2w5ynShf'
Status: 200
{ "id" : "crd_0v1zUpWdE4IiFc2w5ynShf",
"api_key" : "key-abcdefghijklmnopqrstuvwxyz",
"credential_type" : "api_key",
"object" : "credential",
"user_id" : "usr_0v1zTHXhtNgmDaXaDYSAqx"
}
var_dump($res->fields);
array(16) {
["id"]=> string(26) "crd_0v1zUpWdE4IiFc2w5ynShf"
["api_key"]=> string(30) "key-abcdefghijklmnopqrstuvwxyz"
["credential_type"]=> string(7) "api_key"
["object"]=> string(10) "credential"
["user_id"]=> string(26) "usr_0v1zTHXhtNgmDaXaDYSAqx"
}
#<AuthRocket::Credential:0x3fde5fa18df8>
id: "crd_0v1zUpWdE4IiFc2w5ynShf",
attribs: {
"api_key"=>"key-abcdefghijklmnopqrstuvwxyz",
"credential_type"=>"api_key",
"object"=>"credential",
"user_id"=>"usr_0v1zTHXhtNgmDaXaDYSAqx"
}
Creates a new credential for a user.
POST /v1/credentials
{ "credential" :
{ "user_id" : "usr_0v1zTHXhtNgmDaXaDYSAqx",
"credential_type" : "api_key"
}
}
$res = $client->credentials()->create([
"user_id" => "usr_0v1zTHXhtNgmDaXaDYSAqx",
"credential_type" => "api_key"
]);
cred = AuthRocket::Credential.create(
user_id: 'usr_0v1zTHXhtNgmDaXaDYSAqx',
credential_type: 'api_key'
)
Status: 201, with same body as Get a Credential.
On success, returns same object as Get a Credential.
On failure, returns an object with errors:
$res->hasErrors();
// => true
var_dump($res->errors);
array(1) {
[0]=> string(30) "Credential type can't be blank"
}
On success, returns same object as Get a Credential.
On failure, returns an object without an id, but with errors:
# => #<AuthRocket::Credential:0x3fde5fa18df8> id: nil, ...
credential.errors?
# => true
credential.valid?
# => false
credential.errors
# => ["Password can't be blank"]
Triggers a user.updated
event.
Update a credentials’s attributes. Only provided attributes are changed.
PUT /v1/credentials/:credential_id
{ "credential" :
{ "password" : "secret",
"password_confirmation" : "secret"
}
}
$res = $client->credentials()->update('crd_0v1zUpWdE4IiFc2w5ynShf', [
"password" => "secret",
"password_confirmation" => "secret"
]);
cred=AuthRocket::Credential.find 'crd_0v1zUpWdE4IiFc2w5ynShf'
cred.save password: 'secret', password_confirmation: 'secret'
Status: 200, with same body as Get a Credential.
On success, returns same object as Get a Credential.
On failure, returns an object with errors:
$res->hasErrors();
// => true
var_dump($res->errors);
array(1) {
[0]=> string(35) "Password confirmation doesn't match"
}
On success, returns same object as Get a Credential.
On failure, returns false:
# => false
credential.errors
# => ["Password confirmation doesn't match"]
Triggers a user.updated
event.
For credentials associated with external providers, depending on which fields are changed, the user.updated
event will often be skipped.
Verify a TOTP credential. If the credential’s state
is new
, automatically advances to active
upon success.
If already active
, no changes are made to state
, but the code is still verified. This is useful for verifying a user’s 2FA credential prior to performing a sensitive operation inside your app.
POST /v1/credentials/:credential_id/verify
{ "credential" :
{ "code" : "123456"
}
}
$res = $client->credentials()->verify('crd_0v1zUpWdE4IiFc2w5ynShf', [
"code" => "123456"
]);
cred=AuthRocket::Credential.find 'crd_0v1zUpWdE4IiFc2w5ynShf'
cred.verify '123456'
Status: 200, with same body as Get a Credential.
On success, returns same object as Get a Credential.
On failure, returns an object with errors:
$res->hasErrors();
// => true
var_dump($res->errors);
array(1) {
[0]=> string(19) "Verification failed"
}
On success, returns same object as Get a Credential.
On failure, returns false:
# => false
credential.errors
# => ["Verification failed"]
If state
changed, triggers a user.updated
event. Otherwise, no event is triggered.
Deletes a credential.
DELETE /v1/credentials/:credential_id
$res = $client->credentials()->delete('crd_0v1zUpWdE4IiFc2w5ynShf');
cred=AuthRocket::Credential.find 'crd_0v1zUpWdE4IiFc2w5ynShf'
cred.delete
Status: 204
On success, returns an object with no errors.
On failure, returns an object with errors.
$res->hasErrors();
// => true or false
On success, returns original object.
On failure, returns false.
Triggers a user.updated
event.
Questions? Find a Typo? Get in touch.