Once end user clicks on link, user’s browser will open the app’s auth url with a “code” url parameter. The front end should extract the code parameter from the url and pass it to the backend. In the backend, this parameter is to be passed into the “auth_code” parameter of the verify API below. The reason to do it this way is that the client_secret should not be exposed to the front end.
Request
POST <https://api.ezid.io/email-link/verify>
Content-type: application/json
{
"client_id":"8b5e6e7a45caec7b891c13a8a2484acf",
"client_secret":"4d6765d698ce1824a678ca07143decdba4c123d08743e72eb8b0bf7fc4028d8e",
"auth_code":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1dWlkIjoiMmRmYmVlMmEtZDFhYS00MjYwLWE3YzctNjU2Y2MxMWZjMTg0IiwiaWF0IjoxNjM5OTczNzkxLCJleHAiOjE2Mzk5NzczOTF9.NMWJ-4jpq8PS2hR6VbVCk-JQgY-dytbBA4cFKS2hA58",
}
Response
{
"id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InRlc3QyNHByb2RAZW1haWwuY29tIiwibm9uY2UiOiJiOGI5YjZhYy0yNjc4LTQwMjEtYThjZi1mNTQ4YTE5MjYyN2MiLCJpYXQiOjE2Mzk5NzM4MjQsImV4cCI6MTY0MDAwOTgyNH0.s3gfh8kF0n3A6Cwx_prjqCfvUnoV2RjCyD9RUmSMc1lRnKLDTY_ixiurSZ9mZQsufj74gB0lKC3MS7v2j9DmJGHPLNGgSUsACB4y5iTlhvLC8KdkZmaE93oM2IOelmc0bP9iWFI9u_bndp2IKpWh3EjniZSQ83AC9OZHn4vfM-fX2ODM0zisA5A75NdINQvaNWgqbxFAabsK29TxKQXKYCn7Sdzsigwap2BZbTAhxNWa9XVgD_fdYtnkhNKJIL52sSQJD-UorjkZIYXrSzjJiKgjDrYsQ5C5Gll1kkgqGevGDRPBrYE62DW24Rd-a6pK0VWMtl0WhJNBY1ExC6SxiZwr5b4jniUiXlPIlpn4ygcegiYgNdFUxqim1BWxmjLa3_qcoZVMuLlEiuOXyWpezHJs4CwvgN5e9ufLCJYJJ_WRvVgR-f2GdXd6gLXN-FQ1MwcbxsaqHb00FjJMNl3yOoLr0C4z5f1br_f6m7BNIJkOUfkjQaOSdpe1rrJIhFRoFKt_X6ONgVjom8vtP3Ul91LpzmxgSvZFSHKmZE_86b6EnTpMpixxjNOtE1ZCS3VxBHOu-5DAgeLLFKWBXITiaBzLX05kCyeenGdcwVuZIlpLvfRjdqk8n5ADRQv7meJ3G9mJBRh4Awl2NHHLDegG_9xDA3QYgCDiDo7iOuN3HgM", // can decode jwt and use in client. contains user data
"access_token": "12c6499680953066c695425d33c9eaa58407be743906f5645d43656a7c2362bd", // access token can be used to access backend APIs of the app
"refresh_token": "83223b63-45ff-4e8a-ae11-f24462d71cbb",
"success": true
}
Both id_token and access_token are jwt tokens that can be verified using the EZiD public key (this is provided separately to you). If you are using nodeJS you can use the jsonwebtoken npm package and use var decoded = jwt.verify(token, fs.readFileSync('public_key.pem')); to verify the token; the result of calling this will not only verify the token but also provide the decoded JSON result (public key attached below).
You can use the id_token parameter in the response to show user details in the client. You can store this in a cookie or in local storage.
You can use the access_token parameter in the response for API calls by including in the authorization header. Eg
POST www.example-api.com
Authorization : Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJwbGFuZXR0cmVlLmV6aWQuaW8iLCJhdWQiOiJwbGF0ZXRyZWUuY28iLCJjbGllbnRfaWQiOiJ4c2xmaGFrc2pkaGZqd2plcmhqZHNmamtubHNramRrZiIsImlhdCI6MTYzNjM2MDMzMCwiZXhwIjoxNjM2MzYwNjMwfQ.M6ro_nLmRo2e3u20DlyhHVJ1cI9ei5C5rQJ9VrwQeP
<aside> 🔑 EZiD Public Key
</aside>
Prev: Send email link
Next: Get user