See api-docs Menu

Create Session Via API Token

Post a session token to this API endpoint to start a session and set a cookie to log a user into an app.

This API endpoint works within a login flow in which your app server calls the Create Session Login Token API to generate a session token. The app login page posts the session token via the browser to the session_via_api_token endpoint, using either a form post or a CORS (Cross Origin Resource Sharing) request.

For detailed usage flows and examples that illustrate how this API works with the Create Session Login Token API to log in a user, see Logging a User in Via API.

Resource URL


Originally, the endpoint was https://admin.<us_or_eu>, but now that subdomains are mandatory and used for admin URLs, you should use the subdomain in the resource URL. We will continue to support admin.<us_or_eu> for the foreseeable future, but we recommend that you update your calls to use the subdomain.

Sample Request

HTML form post:

<!doctype html>
        <meta charset="utf-8">
        <p>Auth API Test</p>
        <form action=
         "https://{your_subdomain}" method="POST">
            <input type="hidden" name="session_token" value="{your session token value}">
            <input type="submit" placeholder="GO">
            <input id="auth_token" type="hidden">

CORS post:

If posted from the URL that was specified using the Custom-Allowed-Origin-Header-1 header when calling the Create Session Login Token API, the following will return a session cookie:

function makeCors(session_token) {
   var xhr = new XMLHttpRequest();
   xhr.withCredentials = true;
   method = "POST";
   var url = "https://<your_subdomain>";, url, true);
   xhr.setRequestHeader("Content-Type", "application/json");
   body = {"session_token": session_token};

Sample Response

In a successful response to a CORS request, the session_via_api_token endpoint simply sends a cookie which sets a session on the browser.

If the token is bad, the endpoint refuses the CORS request and the browser displays a “blocked by CORS policy” error message (whose content depends on the browser).

Usage Flows and Code Samples

See Logging a User In Via API.

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "[onelogin] user login api"

  • 2

    Q: OneLogin session_via_api_token and Chrome

    Asked Nov 14 2016

    I am getting a session token via an ajax call. This in turn calls the API method $.post("onelogin.ashx?action=sessiontoken", data, function (s … is now logged in. session_via_api_token returns response header "Location" with my original page URL. In Chrome the user is not logged in and the response header "Location" is I have a feeling it is a problem with cookies but can't figure out what. Any ideas? …

  • 1

    Q: Implement custom connector to in-house applications

    Asked Dec 05 2016

    . But I was trying to figure out a way to just navigate the user to the OneLogin login portal and then redirect back to which ever in-house application the user is trying log into. If anyone has any suggestions or an idea on how to best implement this please let me know. … I am trying to figure out how custom connectors work or if it's the correct solution. Basically the company I work at wants to implement a "login using OneLogin" to our in-house applications and we …

  • 1

    Q: OneLogin Create Session Login Token API returns status 400 with message: Bad Request

    Asked May 23 2016

    Request: //Get the session token for the specified user, using the token recieved from previous web request WebRequest request = WebRequest.Create(" … I am developing a C# application which needs to use the onelogin API to retrieve a session token. I am able to authenticate and and create a token with the following code: WebRequest Authrequest …

  • 1

    Q: onelogin api with php curl 401 unauthorized

    Asked Jul 06 2016

    I have a simple curl request to the onelogin api written in PHP. The request works fine with my parameters from my terminal and I am able to login my user, however the php version I run on server … = "Authorization: bearer: ". $a_token; curl_setopt($ch, CURLOPT_URL, ""); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true …

  • 1

    A: Accessing Third Party Apps After Creating A Session Via API Token

    Answered Mar 10 2017

    Two ways: If the app supports SP-initiated SAML, just navigate the user to the application and it'll do the whole SAML flow- App redirects to OneLogin - OL authenticates user (because you have … -for-a-user Take note that you're probably going to want to use the optional flag that makes sure to redirect to your login page, not OL's if you've built a login facade. …