Select release
Integration Tutorials

Installation

Configuration

Device Activation

Requesting Device Activation Status

Data Signing

Password Change

Working With Passwords Securely

Biometry Setup

Device Activation Removal

End-To-End Encryption

Secure Vault

Token Based Authentication

Additional Topics

Troubleshooting

User Info

Sample Integration

Other

Changelog

Token-Based Authentication

Edit on Github Send Feedback v1.0.0-beta

WARNING: Before you start using access tokens, please visit our documentation for powerauth-crypto for more information about this feature.

The tokens are simple, locally cached objects, producing timestamp-based authorization headers. Be aware that tokens are NOT a replacement for general PowerAuth signatures. They are helpful in situations when the signatures are too heavy or too complicated for implementation. Each token has the following properties:

  • It needs a PowerAuth signature for its creation (e.g., you need to provide a PowerAuthAuthentication object)
  • It has a unique identifier on the server. This identifier is not exposed to the public API, but the DEBUG version of the SDK can reveal that identifier in the debugger.
  • It has a symbolic name (e.g., “MyToken”) defined by the application programmer to identify already created tokens.
  • It can generate timestamp-based authorization HTTP headers.
  • It can be used concurrently. Token’s private data doesn’t change in time.
  • The token is associated with the PowerAuth instance. So, you can use the same symbolic name in multiple SDK instances, and each created token will be unique.
  • Tokens are persisted in the keychain and cached in memory.
  • Once the parent PowerAuth instance loses its activation, all its tokens are removed from the local database.

Getting Token

To get an access token, you can use the following code:

// 1FA signature, uses device-related key
final auth = PowerAuthAuthentication.possession();

try {
    final token = await powerAuth.tokenStore.requestAccessToken("MyToken", auth);
    // now you can generate a header
} catch (e) {
    // handle error
}

The token can be locally cached on the device. You can test this situation by calling await powerAuth.tokenStore.hasLocalToken("MyToken").

Generating Authorization Header

Once you have a PowerAuthToken object, use the following code to generate an authorization header:

try {
    final header = await powerAuth.tokenStore.generateHeaderForToken(token.tokenName);
    // now you can attach that header to your HTTP request
} catch (e) {
    // token is no longer valid
}

Removing Token From the Server

To remove the token from the server, you can use the following code:

try {
    await powerAuth.tokenStore.removeAccessToken("MyToken");
    // token has been removed
} catch (e) {
    // handle error
}

Removing Token Locally

To remove the token locally, you can simply use the following code:

try {
    // Remove just one token
    await powerAuth.tokenStore.removeLocalToken("MyToken");
    // Remove all local tokens
    await powerAuth.tokenStore.removeAllLocalTokens();
} catch (e) {
    // handle error
}

Note that by removing tokens locally, you will lose control of the tokens stored on the server.

Last updated on Jun 13, 2025 (19:13) Edit on Github Send Feedback
On this page:
Search

1.0.0.beta

PowerAuth Mobile Flutter