Start a new topic

Login without password using master secret


Any chance we could "become" a user by calling a login request via REST API with the master secret - without having to a specify a password? The request would then return the normal authtoken for that user.

This would be valuable for custom server-side logins (third-party authentication) and also the ability to login as a user for support purposes.



Hey Caroline - Any update on this?

With a little more thought on this topic, the token returned should not be new if one already exists. Otherwise it will logout users already logged in.

Another way of achieving this may be for Kinvey to return the existing (or a new authtoken if none already exists) when querying a specific user using the master key via `GET /user/:appKey/:id` ?
Thanks Caroline. Hopefully this is something we could achieve via a /rpc or /user REST API request or possible via a Business Logic function - for example modules.backendContext.getAuthToken(username).
Hey Ryan, I will chat with Ivan about it and see if it's coming up in the roadmap and let you know.
An example would be:

POST /rpc/:appKey/generate-token HTTP/1.1


Authorization: [Basic Auth with master credentials]

Content-Type: application/json


"username": "ivan"



HTTP/1.1 200 OK

X-Kinvey-Api-Version: 1

Content-Type: application/json


"username": "ivan",

"location": "Cambridge, MA, USA",

"locale": "en-US",






Caroline - Any chance we can get visibility if this is on the roadmap too? This is the last item that's stopping us from building our app on this platform.

If not possible via REST API is there some way we could do this via a Custom Endpoint to generate a session token for a specific user?
Hey Ivan,

Thanks for commenting! That's more for using the master secret - which has access to everything and shouldn't be client-facing.

I'm referring to generating an authtoken for a user without having to supply a password.

This way queries/ACL etc are enforced and the app behaves as if the user has logged in giving their username/password.

For server-side logins you can just use basic auth using the master secret, and no authtoken is required.

Does that work?
Login or Signup to post a comment