Standalone Session

For SDK and Web flows where AppSecret cannot be exposed to the browser — currently the Liveness SDK — use the standalone session flow instead of GetAppToken.

Your backend obtains a sessionId with credentials, hands the sessionId to the browser, and the browser swaps it for the JWT at runtime. The returned JWT follows the same lifetime as any other access token (see Token Expiration).

Flow at a glance

1. Backend → POST /AppSessionManager/GetStandaloneSession with appId + appSecret + tenantId. Receives sessionId.
2. Backend → hands sessionId to the browser (page render, postMessage, cookie — your choice).
3. Browser / SDK (optional) → POST /AppSessionManager/ValidateSessionId to confirm sessionId is still valid before mounting the SDK.
4. Browser / SDK → GET /AppSessionManager/GetToken/{sessionId} to obtain the JWT.
5. Browser / SDK → uses the JWT as Authorization: Bearer <jwt> on subsequent calls.

AppSecret never leaves your backend.

Get a standalone session

POST {auth_base_url}/api/AppSessionManager/GetStandaloneSession

Request Body

{
  "appId": "your-app-id",
  "appSecret": "your-app-secret",
  "tenantId": "your-tenant-id",
  "host": "your-portal.example.com"
}

Parameters

Field	Type	Required	Description
appId	string	Yes	Your app identifier.
appSecret	string	Yes	Your app secret. Must stay on your backend — never expose to the browser.
tenantId	string	Yes	Your tenant identifier.
host	string	No	The origin (hostname) your front-end will be served from. Currently accepted but not validated — reserved for a future origin-validation feature so you can wire it into the SDK now and avoid a breaking change later.

Response

{
  "version": null,
  "statusCode": 200,
  "messages": ["Processed successfully"],
  "result": {
    "sessionId": "9c7b69b6-4de0-4605-a841-8ece6ec7b1f9",
    "expiryDate": "2026-05-21T09:56:49.649495Z"
  }
}

Response Fields

Field	Type	Description
sessionId	string	Identifier you pass to the browser. Use it with Exchange a session for a token to obtain the JWT.
expiryDate	datetime	UTC timestamp at which both the sessionId and its underlying token expire.

The new session is persisted on the server, so your front-end can exchange sessionId for the JWT at any time before expiryDate.

Validate session

Useful when your backend needs to check whether a previously issued sessionId is still valid — for example, before redirecting a returning user into the SDK. Returns metadata without exposing the JWT.

POST {auth_base_url}/api/AppSessionManager/ValidateSessionId

Request Body

{
  "sessionId": "9c7b69b6-4de0-4605-a841-8ece6ec7b1f9"
}

Response — valid session

{
  "version": null,
  "statusCode": 200,
  "messages": ["Processed successfully"],
  "result": {
    "isValid": true,
    "expiryDate": "2026-05-21T09:56:49.649495Z",
    "tenantId": "your-tenant-id"
  }
}

Response — invalid, expired, or unknown session

{
  "version": null,
  "statusCode": 200,
  "messages": ["Processed successfully"],
  "result": {
    "isValid": false,
    "expiryDate": null,
    "tenantId": null
  }
}

This endpoint always returns HTTP 200 — isValid: false covers the cases of unknown sessionId, expired session, or revoked underlying app credentials.

Exchange a session for a token

Used by the front-end to swap a sessionId (obtained via Get a standalone session) for the actual JWT.

GET {auth_base_url}/api/AppSessionManager/GetToken/{sessionId}

Response

{
  "version": null,
  "statusCode": 200,
  "messages": ["Processed successfully"],
  "result": "eyJhbGciOiJIUzI1NiIs..."
}

result is the JWT. Use it exactly as you would the JWT returned by Getting an Access Token.

If the sessionId is unknown, expired, or its app credentials have expired, this endpoint returns 403.

Treat sessionId as a secret

sessionId is embedded in the URL path of this GET request, which makes it easy to leak through:

• server access logs (gateway, application, reverse proxy);
• browser history;
• the Referer header on any outbound link from a page that holds the URL.

Treat the sessionId like a token, not like an opaque public id:

• Call this endpoint over HTTPS only — never over plain HTTP.
• Set Referrer-Policy: no-referrer (or no-referrer-when-downgrade) on pages that perform the exchange.
• Do not embed the URL in HTML attributes (<a href>, <img src>, etc.) or share it externally.
• Strip sessionId from any log line you control.
• If your client architecture allows it, prefer exchanging server-side and handing only the resulting JWT to the browser.