Authentication

Sesamy uses Auth0-compatible authentication to provide industry-standard, secure API access. You can integrate using any Auth0-compatible SDK.

Authentication Methods

Sesamy supports different authentication flows depending on your use case:

Management API - Client Credentials Flow

For server-to-server authentication to the Management API, use the Client Credentials flow.

Best for: Backend services, administrative tasks, server-side integrations

Learn more about API Keys →

Apps & Websites - Authorization Code Flow

For user-facing applications and websites, use the Authorization Code flow with support for PKCE, cookie sessions, and refresh tokens.

Best for: Web applications, single-page applications, native mobile apps

Learn more about OAuth 2.0 →

Quick Examples

Management API - Client Credentials Flow

Get a token for server-to-server authentication:

curl -X POST https://token.sesamy.com/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "audience=https://api.sesamy.com"

# Use the access token
curl -X GET https://api.sesamy.com/management/v1/... \
  -H "Authorization: Bearer ACCESS_TOKEN"

Apps & Websites - Authorization Code Flow (with PKCE)

For web and mobile applications:

# Step 1: Redirect user to authorization endpoint
https://token.sesamy.com/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  scope=openid profile email&
  code_challenge=CHALLENGE&
  code_challenge_method=S256

# Step 2: Exchange code for token
curl -X POST https://token.sesamy.com/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=authorization_code" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "code=AUTH_CODE" \
  -d "code_verifier=VERIFIER" \
  -d "redirect_uri=https://yourapp.com/callback"

# Use the access token
curl -X GET https://api.sesamy.com/client/v1/profile \
  -H "Authorization: Bearer ACCESS_TOKEN"

Session Management

Sesamy supports multiple session management options for apps and websites:

Cookie Sessions (Custom Domains)

If you're using a custom domain, cookie-based sessions are supported for seamless user experience.

Token Refresh (All Domains)

If you're not using custom domains, use refresh tokens to maintain user sessions:

curl -X POST https://token.sesamy.com/oauth/token \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=refresh_token" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "refresh_token=REFRESH_TOKEN"

Security Best Practices

Important

Never expose your client secrets in client-side code or public repositories. Always use PKCE for public clients (SPAs, native apps).

1. Store secrets securely: Use environment variables or secure vaults for sensitive credentials
2. Use HTTPS: Always use HTTPS for all authentication endpoints
3. Enable PKCE: Use PKCE for all public clients (SPAs, native apps) to prevent authorization code interception
4. Validate tokens: Verify token signatures and expiration on your backend
5. Rotate secrets: Regularly rotate client secrets in your dashboard
6. Use appropriate scopes: Request only the scopes your application needs

Auth0-Compatible SDKs

Since Sesamy uses Auth0-compatible authentication, you can use any Auth0-compatible SDK:

• Auth0.js
• Auth0 React SDK
• Auth0 Vue SDK
• Auth0 Python SDK
• And many more...

Next Steps

• API Keys - Management API credentials and setup
• OAuth 2.0 - Complete authorization flow guide
• JWT Tokens - Understanding and validating tokens