Create a new session
POST/v2/sessions
Create a new session. A token will be returned, which is required for further updates of the session.
Request​
- application/json
- application/grpc
- application/grpc-web+proto
Body
required
checks
object
"Check for user and password. Successful checks will be stated as factors on the session."
user
object
"checks the user and updates the session on success"
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
password
object
"Checks the password and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: non-empty
and <= 200 characters
webAuthN
object
"Checks the public key credential issued by the WebAuthN client. Requires that the user is already checked and a WebAuthN challenge to be requested, in any previous request."
Possible values: >= 55 characters
and <= 1048576 characters
JSON representation of public key credential issued by the webAuthN client
idpIntent
object
"Checks the IDP intent. Requires that the userlink is already checked and a successful idp intent."
Possible values: non-empty
and <= 200 characters
ID of the idp intent, previously returned on the success response of the IDP callback
Possible values: non-empty
and <= 200 characters
token of the idp intent, previously returned on the success response of the IDP callback
totp
object
"Checks the Time-based One-Time Password and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: >= 6 characters
and <= 6 characters
otpSms
object
"Checks the One-Time Password sent over SMS and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: non-empty
otpEmail
object
"Checks the One-Time Password sent over Email and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: non-empty
metadata
object
"custom key value list to be stored on the session"
challenges
object
webAuthN
object
"Domain on which the session was created. Will be used in the WebAuthN challenge."
Possible values: [USER_VERIFICATION_REQUIREMENT_UNSPECIFIED
, USER_VERIFICATION_REQUIREMENT_REQUIRED
, USER_VERIFICATION_REQUIREMENT_PREFERRED
, USER_VERIFICATION_REQUIREMENT_DISCOURAGED
]
Default value: USER_VERIFICATION_REQUIREMENT_UNSPECIFIED
"User verification that is required during validation. When set to USER_VERIFICATION_REQUIREMENT_REQUIRED
the behaviour is for passkey authentication. Other values will mean U2F"
otpSms
object
otpEmail
object
sendCode
object
Possible values: non-empty
and <= 200 characters
Optionally set a url_template, which will be used in the mail sent by ZITADEL to guide the user to your verification page. If no template is set, the default ZITADEL url will be used.
The following placeholders can be used: Code, UserID, LoginName, DisplayName, PreferredLanguage, SessionID
userAgent
object
header
object
property name*
object
A header may have multiple values. In Go, headers are defined as map[string][]string, but protobuf doesn't allow this scheme.
"duration (in seconds) after which the session will be automatically invalidated"
Body
required
checks
object
"Check for user and password. Successful checks will be stated as factors on the session."
user
object
"checks the user and updates the session on success"
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
password
object
"Checks the password and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: non-empty
and <= 200 characters
webAuthN
object
"Checks the public key credential issued by the WebAuthN client. Requires that the user is already checked and a WebAuthN challenge to be requested, in any previous request."
Possible values: >= 55 characters
and <= 1048576 characters
JSON representation of public key credential issued by the webAuthN client
idpIntent
object
"Checks the IDP intent. Requires that the userlink is already checked and a successful idp intent."
Possible values: non-empty
and <= 200 characters
ID of the idp intent, previously returned on the success response of the IDP callback
Possible values: non-empty
and <= 200 characters
token of the idp intent, previously returned on the success response of the IDP callback
totp
object
"Checks the Time-based One-Time Password and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: >= 6 characters
and <= 6 characters
otpSms
object
"Checks the One-Time Password sent over SMS and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: non-empty
otpEmail
object
"Checks the One-Time Password sent over Email and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: non-empty
metadata
object
"custom key value list to be stored on the session"
challenges
object
webAuthN
object
"Domain on which the session was created. Will be used in the WebAuthN challenge."
Possible values: [USER_VERIFICATION_REQUIREMENT_UNSPECIFIED
, USER_VERIFICATION_REQUIREMENT_REQUIRED
, USER_VERIFICATION_REQUIREMENT_PREFERRED
, USER_VERIFICATION_REQUIREMENT_DISCOURAGED
]
Default value: USER_VERIFICATION_REQUIREMENT_UNSPECIFIED
"User verification that is required during validation. When set to USER_VERIFICATION_REQUIREMENT_REQUIRED
the behaviour is for passkey authentication. Other values will mean U2F"
otpSms
object
otpEmail
object
sendCode
object
Possible values: non-empty
and <= 200 characters
Optionally set a url_template, which will be used in the mail sent by ZITADEL to guide the user to your verification page. If no template is set, the default ZITADEL url will be used.
The following placeholders can be used: Code, UserID, LoginName, DisplayName, PreferredLanguage, SessionID
userAgent
object
header
object
property name*
object
A header may have multiple values. In Go, headers are defined as map[string][]string, but protobuf doesn't allow this scheme.
"duration (in seconds) after which the session will be automatically invalidated"
Body
required
checks
object
"Check for user and password. Successful checks will be stated as factors on the session."
user
object
"checks the user and updates the session on success"
Possible values: non-empty
and <= 200 characters
Possible values: non-empty
and <= 200 characters
password
object
"Checks the password and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: non-empty
and <= 200 characters
webAuthN
object
"Checks the public key credential issued by the WebAuthN client. Requires that the user is already checked and a WebAuthN challenge to be requested, in any previous request."
Possible values: >= 55 characters
and <= 1048576 characters
JSON representation of public key credential issued by the webAuthN client
idpIntent
object
"Checks the IDP intent. Requires that the userlink is already checked and a successful idp intent."
Possible values: non-empty
and <= 200 characters
ID of the idp intent, previously returned on the success response of the IDP callback
Possible values: non-empty
and <= 200 characters
token of the idp intent, previously returned on the success response of the IDP callback
totp
object
"Checks the Time-based One-Time Password and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: >= 6 characters
and <= 6 characters
otpSms
object
"Checks the One-Time Password sent over SMS and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: non-empty
otpEmail
object
"Checks the One-Time Password sent over Email and updates the session on success. Requires that the user is already checked, either in the previous or the same request."
Possible values: non-empty
metadata
object
"custom key value list to be stored on the session"
challenges
object
webAuthN
object
"Domain on which the session was created. Will be used in the WebAuthN challenge."
Possible values: [USER_VERIFICATION_REQUIREMENT_UNSPECIFIED
, USER_VERIFICATION_REQUIREMENT_REQUIRED
, USER_VERIFICATION_REQUIREMENT_PREFERRED
, USER_VERIFICATION_REQUIREMENT_DISCOURAGED
]
Default value: USER_VERIFICATION_REQUIREMENT_UNSPECIFIED
"User verification that is required during validation. When set to USER_VERIFICATION_REQUIREMENT_REQUIRED
the behaviour is for passkey authentication. Other values will mean U2F"
otpSms
object
otpEmail
object
sendCode
object
Possible values: non-empty
and <= 200 characters
Optionally set a url_template, which will be used in the mail sent by ZITADEL to guide the user to your verification page. If no template is set, the default ZITADEL url will be used.
The following placeholders can be used: Code, UserID, LoginName, DisplayName, PreferredLanguage, SessionID
userAgent
object
header
object
property name*
object
A header may have multiple values. In Go, headers are defined as map[string][]string, but protobuf doesn't allow this scheme.
"duration (in seconds) after which the session will be automatically invalidated"
Responses​
- 200
- 403
- 404
- default
OK
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
"id of the session"
"The current token of the session, which is required for delete session, get session or the request of other resources."
challenges
object
webAuthN
object
Options for Assertion Generaration (dictionary PublicKeyCredentialRequestOptions). Generated helper methods transform the field to JSON, for use in a WebauthN client. See also: https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions
{
"details": {
"sequence": "2",
"changeDate": "2025-01-03T14:02:13.040Z",
"resourceOwner": "69629023906488334"
},
"sessionId": "222430354126975533",
"sessionToken": "string",
"challenges": {
"webAuthN": {
"publicKeyCredentialRequestOptions": {
"publicKey": {
"allowCredentials": [
{
"id": "ATmqBg-99qyOZk2zloPdJQyS2R7IkFT7v9Hoos_B_nM",
"type": "public-key"
}
],
"challenge": "GAOHYz2jE69kJMYo6Laij8yWw9-dKKgbViNhfuy0StA",
"rpId": "localhost",
"timeout": 300000,
"userVerification": "required"
}
}
},
"otpSms": "string",
"otpEmail": "string"
}
}
- Schema
- Example (from schema)
Schema
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
"id of the session"
"The current token of the session, which is required for delete session, get session or the request of other resources."
challenges
object
webAuthN
object
Options for Assertion Generaration (dictionary PublicKeyCredentialRequestOptions). Generated helper methods transform the field to JSON, for use in a WebauthN client. See also: https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions
{
"details": {
"sequence": "2",
"changeDate": "2025-01-03T14:02:13.040Z",
"resourceOwner": "69629023906488334"
},
"sessionId": "222430354126975533",
"sessionToken": "string",
"challenges": {
"webAuthN": {
"publicKeyCredentialRequestOptions": {
"publicKey": {
"allowCredentials": [
{
"id": "ATmqBg-99qyOZk2zloPdJQyS2R7IkFT7v9Hoos_B_nM",
"type": "public-key"
}
],
"challenge": "GAOHYz2jE69kJMYo6Laij8yWw9-dKKgbViNhfuy0StA",
"rpId": "localhost",
"timeout": 300000,
"userVerification": "required"
}
}
},
"otpSms": "string",
"otpEmail": "string"
}
}
- Schema
- Example (from schema)
Schema
details
object
on read: the sequence of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
on read: the timestamp of the last event reduced by the projection
on manipulation: the timestamp of the event(s) added by the manipulation
"id of the session"
"The current token of the session, which is required for delete session, get session or the request of other resources."
challenges
object
webAuthN
object
Options for Assertion Generaration (dictionary PublicKeyCredentialRequestOptions). Generated helper methods transform the field to JSON, for use in a WebauthN client. See also: https://www.w3.org/TR/webauthn/#dictdef-publickeycredentialrequestoptions
{
"details": {
"sequence": "2",
"changeDate": "2025-01-03T14:02:13.041Z",
"resourceOwner": "69629023906488334"
},
"sessionId": "222430354126975533",
"sessionToken": "string",
"challenges": {
"webAuthN": {
"publicKeyCredentialRequestOptions": {
"publicKey": {
"allowCredentials": [
{
"id": "ATmqBg-99qyOZk2zloPdJQyS2R7IkFT7v9Hoos_B_nM",
"type": "public-key"
}
],
"challenge": "GAOHYz2jE69kJMYo6Laij8yWw9-dKKgbViNhfuy0StA",
"rpId": "localhost",
"timeout": 300000,
"userVerification": "required"
}
}
},
"otpSms": "string",
"otpEmail": "string"
}
}
Returned when the user does not have permission to access the resource.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
Returned when the resource does not exist.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
An unexpected error response.
- application/json
- application/grpc
- application/grpc-web+proto
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}
- Schema
- Example (from schema)
Schema
Array [
]
details
object[]
{
"code": 0,
"message": "string",
"details": [
{
"@type": "string"
}
]
}