Authentication REST API

The Signicat Authentication REST API enables you to authenticate your end-users in an easy and secure way. With the Authentication REST API, you can offer a variety of authentication flows from your backend systems. Using such a REST API, can often result in a less complex integration compared to OIDC or SAML 2.0.

The main advantages of using this API compared to OIDC or SAML 2.0 are:

• You do not need to implement complex protocols, since this is just a very simple REST API.
• You can support complex flows such as headless flow.

The biggest disadvantages are:

• You always need a backend system to do the API calls securely.
• You may have to write more custom code compared to using a pre-made library or SDK for OIDC or SAML.

Available flows

The Authentication REST API currently supports the following flows:

• Redirect flow
• Headless flow

You can find more information about each flow below.

Redirect flow

The redirect flow allows you to pass a URL to your end-users which they will open in a browser.

In a redirect flow, end-users are redirected several times during the authentication session. At the end of this redirect chain, end-users are routed to the "success callbackUrl" for that specific session. This should be an endpoint at your backend system. Your backend will then get the authentication session from our endpoint, which includes the information about the authenticated person (subject).

Sequence diagram example

Headless flow

A headless flow, in the context of authentication and APIs, refers to a process that occurs without a user interface (UI). In a headless flow, the frontend and backend components are decoupled allowing for greater flexibility to deliver multiple services that interact with the same backend service.

The headless flow allows you to provide your own user interface within your app or website. Requests are sent from your backend server to Signicat's Authentication REST API.

Headless flow is currently only available for the following eIDs:

• Swedish BankID - Headless flow
• itsme® - Headless for mobile App2App flows

Embedded flow

Embedded flows enable you to render the authentication flow inside an iframe in your application (as opposed to the redirect flow where you are redirecting the user to another page).

In an embedded flow, the authentication journey happens inside a component, like an iframe, embedded within your UI. In this scenario, your application manages the iframe and polling logic, creating a hybrid integrated experience for your end-users.

We support embedded flows for the following eIDs:

• Norwegian BankID
• Swedish BankID
• Email OTP
• SMS OTP

API reference

In our Authentication REST API reference, you can find information about the available endpoints and properties, as well as sample requests and responses.

Authentication REST API

Configure your Authentication REST API

Tutorial video

This video shows you how to configure the Authentication REST API for the Signicat eID and Wallet Hub in the Signicat Dashboard.