Login Anonymous #
How to login anonymously #
Login to the app as an anonymous user. This function is passed a handle of the anonymous user. The format of the anonymous user handle is:
ANON_<UUID>
Where UUID
is a globally unique identifier created by the client. The server will create an anonymous user if the handle conforms to this format.
If the handle does not exist, the server will create a user for it. If the handle format does not conform to ANON_<UUID>
, the function will fail, and return a 600 error code.
This function is only supported if the app supports anonymous login, i.e. if anonymousLoginEnable
is false, it will return a 414 error code.
The loginAnonymou function initiates the anonymous login process with the AppKey server for a specific application. It follows the WebAuthN protocol, where the client requests a challenge from the AppKey server, which acts as the FIDO2 Relying Party. Since the Passkey is stored on the client, authentication occurs by signing the challenge using the private key securely stored in the client device’s keychain—accessible only through the user’s biometric authentication. The client then calls the loginAnonymousComplete function, returning the signed challenge to the AppKey server, which verifies it against the user’s public key stored on the server.
URL #
/api/appuser/loginAnonymous
Method #
POST
Headers #
app-token: "<App Token>"
Data Parameter #
{
handle: "<user handle>",
locale: <"locale for user">
}
Response: #
Success: #
StatusCode: #
200 (OK)
Contents: #
{
challenge: <FIDO2 challenge>,
rp: {
name: "AppKeyServer",
id: "appkey.io"
},
user: {
id: <user uuid>,
name: <ANON_<GUID>(<appname-uniqueId>)>,
displayName: <ANON_<GUID>>,
handle: <ANON_<GUID>>
},
pubKeyCredParams: [
{
alg: -7,
type: "public-key"
},
{
alg: -257,
type: "public-key"
}
],
timeout: 60000,
attestation: "none",
excludeCredentials: [],
authenticatorSelection: {
residentKey: "discouraged",
userVerification: "preferred",
requireResidentKey: false
},
extensions: {
credProps: true
},
requireAddPasskey: true
}
Error: #
StatusCode: #
400 (BAD REQUEST)
500 (INTERNAL SERVER ERROR)
Content: #
{
code: "<internal error code>",
message: "<readable error description>"
}
The internal codes are integers:
- 400 - invalid app token
- 401 - app no longer exists
- 402 - app is suspended
- 403 - missing parameter
- 404 - user account is suspended
- 413 - app is migrated
- 414 - app does not support anonymous user
- 500 - internal server error
- 600 - invalid login credentials