Authentication REST API

The Signicat Authentication REST API enables you to authenticate your end-users in an easy and secure way. With the Authentication REST API, you can implement various authentication flows in your backend systems. This authentication method offers less complexity when integrating compared to OIDC and SAML 2.0.

Compared to OIDC or SAML 2.0, the Authentication REST API's main advantages are:

• REST standard: Since this is just a very simple REST API, you do not need to implement complex protocols.
• Wide support: The API supports complex flows such as the headless flow.

However, note the following limitations:

• You always need a backend system to call the API securely.
• You may have to write more custom code instead of relying on an SDK like for OIDC and SAML.

Available flows

The Authentication REST API supports the following authentication flows:

• Redirect flow
• Headless flow
• Embedded flow

Learn more about each flow below.

Redirect flow

The redirect flow allows you to pass a URL to your end-users which they will open in a browser.

In a redirect flow, end-users are redirected several times during the authentication session. At the end of this redirect chain, end-users are routed to the success callbackUrl, which corresponds to a location in your backend. Then, you can consume the result from the authentication session from the Authentication REST API. This includes information about the authenticated user (for example, subject).

Sequence diagram example

Headless flow

A headless flow, in the context of authentication and APIs, refers to a process that occurs without user interface (UI). In a headless flow, the frontend and backend components are decoupled allowing for greater flexibility to deliver multiple services that interact with the same backend service.

The headless flow allows you to provide your own user interface within your app or website. Requests are sent from your backend server to Signicat's Authentication REST API.

Headless flow is currently only available for the following eIDs:

• Swedish BankID - Headless flow
• itsme® - Headless for mobile App2App flows

Embedded flow

Embedded flows enable you to render the authentication flow inside an iframe in your application (as opposed to the redirect flow where you are redirecting the user to another page).

In an embedded flow, the authentication journey happens inside a component, like an iframe, embedded within your UI. In this scenario, your application manages the iframe and polling logic, creating a hybrid integrated experience for your end-users.

We support embedded flows for the following eIDs:

• Norwegian BankID
• Swedish BankID
• Email OTP
• SMS OTP

API reference

In our Authentication REST API reference, you can find information about the available endpoints and properties, as well as sample requests and responses.

Authentication REST API

Configure your Authentication REST API

Tutorial video

This video shows you how to configure the Authentication REST API for the Signicat eID and Wallet Hub in the Signicat Dashboard.