Skip to main content
stars
Open book with key above and password asterisk tokens.

Password

Gateway UIHeadless

How to choose your integration strategy?

Learn to add password-based authentication to an Organization directly in your app in a headless way: from the activation of the password connection and final login try. Or use ready-to-use interface with the self-hosted Gateway User Interface here

Watch the video guide

  • Quickstart
  • 15 min
View example

Password authentication has been a key element of online security for many years. Using advanced cryptographic techniques such as hashing and salting, passwords have been used to protect

The fallback content to display on prerendering
confidential information. However, we don't just follow established standards. We have sought to improve security and enhance the
The fallback content to display on prerendering
experience by introducing modern methods. Our aim is to offer more secure approaches and rethink the use of traditional passwords.

With the Password Connection, Cryptr provides you:

  • State-of-the-art of password hashing "Argon2"
  • A secure Vault for your password hashes
  • A password algorithm strength analysis Zxcvbn
  • A Time To Live password management
  • A password leak detection to prevent your
    The fallback content to display on prerendering
    from using leaked passwords.

1 Configure your first password Connection

API object definitions

  • Organizations: An
    The fallback content to display on prerendering
    represents a business customer or partner in your Cryptr service.
  • Users: Cryptr stores
    The fallback content to display on prerendering
    profiles for your
    The fallback content to display on prerendering
    in a dedicated hosted cloud database for a specific
    The fallback content to display on prerendering
    .
    The fallback content to display on prerendering
    profile information can come from your
    The fallback content to display on prerendering
    directly. The sources are
    The fallback content to display on prerendering
    signup,
    The fallback content to display on prerendering
    (via
    The fallback content to display on prerendering
    ) logins or Active Directory.

How to leverage your API key

Setting up Environment Variables

It is important that your Cryptr

The fallback content to display on prerendering
remains secret, and therefore is defined as a CRYPTR_CLIENT_SECRET environment variable at the start of your
The fallback content to display on prerendering
. The ID of your
The fallback content to display on prerendering
CRYPTR_CLIENT_ID must also be defined.

CRYPTR_ACCOUNT_DOMAIN=communitiz-app
CRYPTR_CLIENT_SECRET=79cef058-530c-4c19-a12d-ff57ff5e592b
CRYPTR_CLIENT_ID=b7bde828-4df1-4f62-9a3a-d1541a2fc9e4
danger

Cryptr does not keep the created

The fallback content to display on prerendering
, keep it with care. You can always request a new one in case of loss, or blacklist your

The fallback content to display on prerendering
in case of compromise.

info

In a dedicated environment, remember to set the CRYPTR_SERVICE_URL as an environment variable. This ensures proper communication with the service and enables customization of the service URL based on your environment.

Cryptr Service URL for dedicated instance
CRYPTR_ACCOUNT_DOMAIN=communitiz-app
CRYPTR_CLIENT_SECRET=79cef058-530c-4c19-a12d-ff57ff5e592b
CRYPTR_CLIENT_ID=b7bde828-4df1-4f62-9a3a-d1541a2fc9e4
CRYPTR_SERVICE_URL=https://my-company.authent.me

Instantiating your Cryptr Client

Here is a concrete example to illustrate how to leverage an instance:

curl -X POST ${cryptr_service_url}/oauth/token
  -d '{
    "grant_type": "client_credentials"
    "domain": "CRYPTR_ACCOUNT_DOMAIN", 
    "client_id": "CRYPTR_CLIENT_ID", 
    "client_secret": "CRYPTR_CLIENT_SECRET"
  }'

Create your Users directory

When it comes to controlling access to your

The fallback content to display on prerendering
, the first step is to store your
The fallback content to display on prerendering
in a dedicated
The fallback content to display on prerendering
. This
The fallback content to display on prerendering
is specific to each
The fallback content to display on prerendering
and environment, which can either be a sandbox environment for testing and development or a default environment for production.

An

The fallback content to display on prerendering
can represent your enterprise customer, a public service, or association, and is identified by a strong identifier known as the
The fallback content to display on prerendering
.

To get started, we create a dedicated environment for each new customer, where we store all

The fallback content to display on prerendering
information and configuration settings. This is done to ensure that the actions are only delimited to that specific customer.

The environment is defined by your

The fallback content to display on prerendering
, meaning that a sandbox
The fallback content to display on prerendering
will be stored in a sandbox environment, and a production
The fallback content to display on prerendering
will be stored in a default environment.

For example, if your

The fallback content to display on prerendering
instance uses a sandbox client ID, it will only store
The fallback content to display on prerendering
in the sandbox environment and grant them authentication rights in that environment.

To learn more about sandbox and production environments and how they affect your

The fallback content to display on prerendering
, click here.

The Organization Owner

Create a new Organization with the name, and the list of email domains from the professional emails of the

The fallback content to display on prerendering
:

curl -X POST ${cryptr_service_url}/api/v2/organizations \
  -H "Authorization: Bearer your-access-token-from-client-id-and-secret" \
  -d name="Communitiz App" \
  -d email_domains[]="communitiz.app"

Now we get the domain of our new

The fallback content to display on prerendering
, here communitiz-app is the domain identifier. Now, each time a new
The fallback content to display on prerendering
will be created from our password-based authentication, it will be stored in a dedicated
The fallback content to display on prerendering
.

Create a User

We can create a

The fallback content to display on prerendering
for an
The fallback content to display on prerendering
created

curl -X POST '${cryptr_service_url}/api/v2/org/${org_domain}/users'
  --form 'profile[email]="emilie@communitiz-app.co"'

However, it is important to consider the following error:

  • "422 email has already been taken": This means that a
    The fallback content to display on prerendering
    with this email address already exists in your project. We inform the
    The fallback content to display on prerendering
    that they can use another email address or invite him to connect. (The email address is used as an identifier to find a user.)
note

You can access a

The fallback content to display on prerendering
information using either the identifier generated when they were created, or their email address.

Click here to access the API page and explore the options for user creation

List the users of a directory from a sandbox or production environment

We can fetch the

The fallback content to display on prerendering
from this
The fallback content to display on prerendering
, please note you can fetch
The fallback content to display on prerendering
from a sandbox environment with an
The fallback content to display on prerendering
for sandbox, and
The fallback content to display on prerendering
from production with an
The fallback content to display on prerendering
for production.

curl "${cryptr_service_url}/api/v2/org/${org_domain}/users" \
  -d page=${page}
  -d per_page=${per_page}

Of course, at this time our list is empty. To see more about

The fallback content to display on prerendering
and
The fallback content to display on prerendering
, please have a look at our Organization API Reference and User API Reference. We can store the
The fallback content to display on prerendering
of our
The fallback content to display on prerendering
, and attach a password
The fallback content to display on prerendering
to this. But we need to handle the
The fallback content to display on prerendering
The fallback content to display on prerendering
.

Password Connection creation

With a created

The fallback content to display on prerendering
, and an
The fallback content to display on prerendering
, we can create a Password
The fallback content to display on prerendering
between your
The fallback content to display on prerendering
& your customer (the
The fallback content to display on prerendering
).

Create a new Password

The fallback content to display on prerendering
type.

curl -X POST ${cryptr_service_url}/api/v2/org/${org_domain}/password-connection

2 Integrate the password authentication to your Application

The fallback content to display on prerendering
object definitions

  • Organization: An Organization represents a business customer or partner in your Cryptr service.
  • Password: A password represents a
    The fallback content to display on prerendering
    's authentication credential used to access protected services. It can be created, reset, or renewed.

First of all, of course, you'll need to create a password for your user.

Create The Password of the User

To initiate the process of creating a new password using a

The fallback content to display on prerendering
, you'll need to trigger a password request for the user.

note

We recommend using the

The fallback content to display on prerendering
password creation action instead of direct creation for security purposes.

curl -X POST ${cryptr_service_url}/api/v2/password-request \
   -d user_email="john@communitiz-app.com" \
   -d redirect_uri=${redirect_uri} \
   -d org_domain=${org_domain} \
   -d find_or_create_user=true

With this API request, you'll get a

The fallback content to display on prerendering
. Send it to your users by email. Once your users have clicked on this magic link, we will use the redirect_uri provided to redirect the
The fallback content to display on prerendering
. After the redirect you will get a password_code that will be used to create a new password. The user will have to enter a new password. Send this new password and the password code to our next API endpoint.

info

Note that there is a find_or_create_user option. Thanks to this option, you can ask to create the user at the time of password creation. To do so, set this option to true. If you do not wish to create a user at the same time as the password, leave this option set to false or leave it blank. The default setting is false.

Create the new Password

Now that you have the password code, you can create a password for your user.

curl -X POST ${cryptr_service_url}/api/v2/password \
   -d user_email="john@communitiz-app.com" \
   -d plain_text="2vK79^41aokzi6lc8" \
   -d password_code="9DGykvCVPZDEZ1rD8pie7xl8s4fQtG" \
   -d org_domain="communitiz-app"

Using the Create a new Password request, you'll obtain a code. You can then consume this code with a POST request to ${cryptr_service_url}/oauth/token with the parameter &code=code to retrieve the associated tokens. These tokens contain both the user's access rights and identity.

If you use a specific SDK, the process is automated, with no need for additional manual steps. The SDK handles the API, enabling you to retrieve the tokens directly.

info

Password Code VS Authorization Code

With the Password Code password_code or passwordCode, you will get the right to create the new Password for your user.

While with the Authorization Code code, you can fetch the final tokens, that contains the right of access and the identity of the User.

Create the new Password directly without email verification

If you wish, you can create a password for your users without having to check their mailbox. To do this, use the code below:

curl -X POST ${cryptr_service_url}/api/v2/password \
   -d user_email="john@communitiz-app.com" \
   -d plain_text="2vK79^41aokzi6lc8" \
   -d org_domain="communitiz-app"

Now that your users have their passwords, you can manage their sessions using the password challenge.

Cryptr secures the connection by generating a password

The fallback content to display on prerendering
using the email address and password supplied by the
The fallback content to display on prerendering
. If the
The fallback content to display on prerendering
is successful, authentication
The fallback content to display on prerendering
is generated, enabling the
The fallback content to display on prerendering
to access the service. If the password has expired, Cryptr provides you a code to request a new password. Otherwise, access is denied.

Cryptr schema - Integrate the challenge to your app

To set up your password

The fallback content to display on prerendering
, you will need to make sure that you set up your
The fallback content to display on prerendering
, client ID and client secret correctly. You can refer to the environment variable configuration for setting up this information.

Login

Challenge a Password

curl -X POST ${cryptr_service_url}/api/v2/password-challenge \
   -d user_email="emilie@communitiz-app.co" \
   -d password="2vK79^41aokzi6lc8"

The user_email domain is used to retrieve your organization domain but you can also use this endpoint with org_domain as parameter.

Password Challenge using Organization Domain

Password Challenge with Org Domain

This request will help you to Challenge the

The fallback content to display on prerendering
if you can't only use the user_email.

curl -X POST ${cryptr_service_url}/api/v2/password-challenge \
  -d user_email="emilie@communitiz-app.co" \
  -d org_domain=${org_domain} \
  -d plain_text="2vK79^41aokzi6lc8"

The createPasswordChallenge function takes an email address and a plain text password to create a password

The fallback content to display on prerendering
, which verifies that the person is authorized to access the service.

info

We are using email to find the

The fallback content to display on prerendering
, the email
The fallback content to display on prerendering
helps Cryptr to find the
The fallback content to display on prerendering
owner, and that email
The fallback content to display on prerendering
is recommended for the creation of an
The fallback content to display on prerendering
. That's why the
The fallback content to display on prerendering
domain is an optional parameter.

Renew expired password

The provided password may be correct, however we also check if the password has expired by checking the expiredPassword property of the passwordChallenge object. If the password is correct but has actually expired, Cryptr provides a renewCode, which can be exploited via the renewPassword function.

Once the

The fallback content to display on prerendering
has created a new password, you can use Cryptr's createPassword function, passing the renewal code (renewCode) supplied by passwordChallenge and the new password in plain text (newPassword).

If none of the above conditions are met, the

The fallback content to display on prerendering
is not authorized and cannot access the service or application.

curl -X POST ${cryptr_service_url}/api/v2/password \
   -d user_email="john@communitiz-app.com" \
   -d plain_text="2vK79^41aokzi6lc8" \
   -d password_code="9DGykvCVPZDEZ1rD8pie7xl8s4fQtG" \
   -d org_domain="communitiz-app"

Full example of processing of results

val createPasswordChallengeResponse = cryptr.createPasswordChallenge(
  userEmail = "john@communitiz-app.com",
  plainText = "2vK79^41aokzi6lc8",
  orgDomain = "communitiz-app"
)

if (createPasswordChallengeResponse.expiredPassword) {
  // note: an expired password is always the result of a successful challenge

  // redirect user to a screen to create a new one
  // then use:
  cryptr.createPassword(
    userEmail = "john@communitiz-app.com",
    plainText = "2vK79^41aokzi6lc8",
    passwordCode = createPasswordChallengeResponse.renewPassword.passwordCode,
    orgDomain = "communitiz-app"
  )

} else if (passwordChallenge.success) {
  val code = passwordChallenge.code
  val token = Cryptr.getToken(code)
  // do something

} else {
  // unauthorized

}

After generating a password

The fallback content to display on prerendering
, we check whether the
The fallback content to display on prerendering
was successful ("success" property) or not. If so, the password authentication is valid.

In this case, the code generates authentication

The fallback content to display on prerendering
from the passwordChallenge object. This
The fallback content to display on prerendering
enables the
The fallback content to display on prerendering
to access the service or application. In the case of an expired Password you can see that we also check the password expiration. We will talk about this in the next part.

Reset a forgotten Password

During the login step,

The fallback content to display on prerendering
may encounter errors that can block access. Here are two common errors and their meanings:

  • "not_found": This means that the email address the

    The fallback content to display on prerendering
    entered when logging was not found in the system. This error may also be received if the Password Connection has not been created or if the domain entered does not exist / has been entered incorrectly.

  • "unauthorized_credentials": This error occurs when the credentials provided when trying to log in are incorrect. The

    The fallback content to display on prerendering
    is asked to ensure that they enters his/her email address and password correctly, also checking the case of the characters.

If the

The fallback content to display on prerendering
encounters any of these errors, or has forgotten their password, we offer a request feature to enable them to create a new password. Using the request process, the
The fallback content to display on prerendering
receives an email inviting them to create a new password. They will then have to validate the new password, respecting the required security criteria (such as password strength), and once completed, they will be redirected back to the application, ready-to-use it again.

Reset password

Cryptr schema - Reset password

If the

The fallback content to display on prerendering
forget their password, or if their password is involved in a data breach. This is a two-step process to ensure the security of the account.

curl -X POST ${cryptr_service_url}/api/v2/password-request \
   -d user_email="john@communitiz-app.com" \
   -d redirect_uri="http://authen.me/welcome_back" \
   -d org_domain="communitiz-app"

# You will get a Magic Link Token to send to your user by email
# When your user will click on the link:
curl -X GET '${cryptr_service_url}/callback'

# If the Token is valid
# You will receive a code to reset the password
# you prompt a new form (or redirect your user to a new one)

# Here you can pass only the plain_text & the password_code
# Cryptr can retrieve the user and the org_domain thanks to the password_code

curl -X POST ${cryptr_service_url}/api/v2/password \
   -d plain_text="2vK79^41aokzi6lc8" \
   -d password_code="9DGykvCVPZDEZ1rD8pie7xl8s4fQtG"

In the first step, the

The fallback content to display on prerendering
is asked to enter the email address associated with their account. You will then receive an unique
The fallback content to display on prerendering
that you can send to the user through email. This
The fallback content to display on prerendering
is a specific code that identifies the password reset request.

The second stage begins when the

The fallback content to display on prerendering
clicks on the link provided in the reset email. This link contains the unique
The fallback content to display on prerendering
which is sent to the server. The server checks the validity of the token and redirects the user to a page where they can set a new password. Here you can notice that it's possible to only pass the 'plain_text' & the 'password_code'. Indeed Cryptr can retrieve the 'user' and the 'org_domain' thanks to the 'password_code'

In the event of an error, if the

The fallback content to display on prerendering
tries to reset the password with a non-existent email address, an error message will be displayed to inform the user of this situation.

Conclusion

I hope this guide has given you a better understanding of the steps involved in password authentication in your application. Here is a summary of the topics covered:

  • Creating an
    The fallback content to display on prerendering
     with a name and a list of associated email domains.
  • The initial configuration of the password login to create a new account for your
    The fallback content to display on prerendering
    .
  • Password challenge, a feature that enhances security while simplifying authentication.
  • Password security, with emphasis on password strength and protection against leaks.
  • Error messages and hints to provide a clear and informative user experience during authentication.
  • Password reset & renew, enabling users to create a new password in the event of expiry or forgetfulness.

To test and ensure the operation of your password authentication system, here are a few practical tips:

  • Use authentication and authorization scenarios in a test environment to check that the process runs smoothly.
  • Take advantage of activity monitoring features to quickly identify and resolve any problems relating to authentication and user management.

If you'd like to go even further, we encourage you to explore our advanced features such as two-factor authentication (coming soon) to further enhance security.

What's more, our comprehensive documentation will enable you to customize login screens according to your branding, offering an optimized user experience.

Alternatives

If the

The fallback content to display on prerendering
forgets their password, we offer an alternative: the
The fallback content to display on prerendering
. Find out more about this authentication method in our magic link integration guide. So, even if the
The fallback content to display on prerendering
forgets their password, they can still access the
The fallback content to display on prerendering
securely and conveniently.
To offer your users a convenient and secure login experience, we offer two alternative authentication methods: Magic Link and Single Sign-On (SSO). To benefit from these features, the organization must support these specific authentication methods.

It's important to note that Magic Link enables fast, password-free log-in by clicking on a unique link sent by email, allowing the user to reset their password once you've logged in.

See our dedicated guides for integrating Magic Link and SSO into your

The fallback content to display on prerendering
and offering your
The fallback content to display on prerendering
a smooth, secure login experience.

Thank you for choosing Cryptr to simplify user authentication.

Please do not hesitate to contact us should you require any further assistance.

API endpoint used in this guide

You can read more about

The fallback content to display on prerendering
during this guide to our API Reference.

Endpoints
POST /api/v2/organizations

Create a new organization to attach a SSO
GET /api/v2/org/:org_domain/users

Get the users listing of an organization
POST /api/v2/org/:org_domain/password-connection

Create a password connection
POST /api/v2/password-request

Request a new password via magic link
POST /api/v2/password

Create a new password
POST /api/v2/password-challenge

Create a password challenge
Enhanced password security

To guarantee password security, we use two important tools: zxcvbn and HaveIBeenPwned.

Zxcvbn is an algorithm that evaluates the strength of passwords by analyzing their complexity, taking into account criteria such as length, variety of characters used and predictability. This enables us to provide recommendations for improving the strength of your users' passwords.

At the same time, we also check whether the password your user has chosen has been compromised in previous security breaches thanks to HaveIBeenPwned. This service compares the password provided with a database of publicly disclosed passwords. If a match is found, we recommend choosing a more secure password to protect the account.

By combining zxcvbn's analysis with HaveIBeenPwned's verification, we ensure that passwords are as secure as possible and that personal information is protected.

Our aim is to provide

The fallback content to display on prerendering
with the best possible experience when creating their first password. If the password does not meet the required security criteria, we will provide advice on how to improve its robustness.

Logo de Cryptr
Consult our Changelog