Managing your app's user sessions
Sessions facilitate secure interactions between an application and its users and apply to requests and responses associated with that particular user. To authenticate requests, Altogic uses two methods:
  • API keys - The API key can be provided in the "Authorization" header of the RESTful API request or as a query parameter in the endpoint path with the name apikey.
  • Session tokens - For endpoints protected through a session, a valid session token needs to be provided in the "Session" header of the RESTful API request.
Altogic has several core nodes to create, update, get and delete sessions. Each session is associated with a user, and when creating a session, you need to provide the user's unique identifier. You can create multiple sessions for a user, assuming that the user can sign in to your application through multiple devices. The session object has the following information that you can use:
  • userId - The unique identifier of the user that this session is associated with
  • token - Session token which needs to be provided in request header for endpoints that required a session
  • creationDtm - The date and time the session has been created
  • accessGroupKeys - List of access group keys that are added to the session
  • userAgent - Information about the device which has initiated the RESTFul API request (device, operating system, etc.)
In the below example, as the last step of a user sign-in process (after getting user data and checking password), we create a session for the user and return the session object as a response.
Creating a user session example
Below is a simple sign-out example flow where a signed-in user's session is deleted. Since the endpoint for this sign-out service is marked as session required, the service gets the session object as input. After deleting the user session, the deleted session token cannot be used in RESTful API requests; otherwise, an error is raised.
Deleting a user session example
Copy link