Own Session Management
Learn how to use your own session management while using Corbado’s passkey authentication solution.
The following documentation provides a detailed explanation how Corbado can be used with your own session management. If you build a new application without existing users, we strongly recommend to use Corbado’s session management, as this will save you a lot of implementation time and is a proven solution.
To use your own session management, you have to switch the toggle in the Corbado developer panel “Settings” - “Sessions”. Otherwise, your Redirect URL will not receive the corbadoAuthToken
.
Overview
1. Get and validate corbadoAuthToken
After successful authentication, e.g. passkeys or email magic link, Corbado redirects the user to the Redirect URL that you have defined in the developer panel.
The Redirect URL will be appended with a GET parameter (query string) called corbadoAuthToken
(e.g. https://www.acme.com/corbado?corbadoAuthToken=<tokenValue>
). This token is valid for five minutes and can only be used once.
To proceed, you need to validate this token:
There should be no origin header set for the API call from your backend to Corbado’s AuthTokenValidate Backend API endpoint.
clientInfo extracts the information from an HTTP request object - specifically, the client’s IP address (remoteAddress) and browser/OS details (userAgent).
The client’s IP can is obtained by checking the ‘x-forwarded-for’ header first - this is common when clients connect via an HTTP proxy or load balancer. If present, it extracts the first IP from either an array or string format of the header. If the ‘x-forwarded-for’ header is absent, the function resorts to the IP address from the remote socket:
{
"remoteAddress": "string",
"userAgent": "string"
}
2. Get user data and generate own session
Next you can get user data from the response and create a session: