The following documentation provides a detailed explanation how Corbado can be used with your own session management. If you build a new application without existing users, we strongly recommend to use Corbado’s session management, as this will save you a lot of implementation time and is a proven solution.

To use your own session management, you have to switch the toggle in the Corbado developer panel “Settings” - “Sessions”. Otherwise, your Redirect URL will not receive the corbadoAuthToken.


Own Session Management

1. Get and validate corbadoAuthToken

After successful authentication, e.g. passkeys or email magic link, Corbado redirects the user to the Redirect URL that you have defined in the developer panel.

The Redirect URL will be appended with a GET parameter (query string) called corbadoAuthToken (e.g.<tokenValue>). This token is valid for five minutes and can only be used once.

To proceed, you need to validate this token:

Create an instance of the Backend SDK (private client) first.
app.get("/validateAuthToken", async (req, res) => {
  try {
    const corbadoAuthToken = req.query.corbadoAuthToken;
    const request = {
      token: corbadoAuthToken,
      clientInfo: {
        remoteAddress: "",
        userAgent: "Corbado Node.js SDK Example",

    // Returns response on valid auth token, throws exception on invalid auth token
    const response = await sdk.authTokens().validate(request);

    // ...
  } catch (error) {

There should be no origin header set for the API call from your backend to Corbado’s AuthTokenValidate Backend API endpoint.

clientInfo extracts the information from an HTTP request object - specifically, the client’s IP address (remoteAddress) and browser/OS details (userAgent).

The client’s IP can is obtained by checking the ‘x-forwarded-for’ header first - this is common when clients connect via an HTTP proxy or load balancer. If present, it extracts the first IP from either an array or string format of the header. If the ‘x-forwarded-for’ header is absent, the function resorts to the IP address from the remote socket:

  "remoteAddress": "string",
  "userAgent": "string"

2. Get user data and generate own session

Next you can get user data from the response and create a session:

// ...

// Generate own session (e.g. creating a JWT with user ID from
// and storing it as cookie)