1. Home >
2. API >
3. 1 >
4. Login Pages >
5. Create Session Via API Token

Create Session Via API Token

Post a session token to this API endpoint to start a session and set a cookie to log a user into an app.

This API endpoint works within a login flow in which your app server calls the Create Session Login Token API to generate a session token. The app login page posts the session token via the browser to the session_via_api_token endpoint, using either a form post or a CORS (Cross Origin Resource Sharing) request.

Resource URL

https://<your_subdomain>.onelogin.com/session_via_api_token

Sample Request

HTML form post:

<!doctype html>
<html>
    <head>
        <meta charset="utf-8">
    </head>
    <body>
        <p>Auth API Test</p>
        <form action=
         "https://{your_subdomain}.onelogin.com/session_via_api_token" method="POST">
            <input type="hidden" name="session_token" value="{your session token value}">
            <input type="submit" placeholder="GO">
            <input id="auth_token" type="hidden">
        </form>
    </body>
</html>

CORS post:

If posted from the URL that was specified using the Custom-Allowed-Origin-Header-1 header when calling the Create Session Login Token API, the following will return a session cookie:

function makeCors(session_token) {
   var xhr = new XMLHttpRequest();
   xhr.withCredentials = true;
   method = "POST";
   var url = "https://<your_subdomain>.onelogin.com/session_via_api_token";
   xhr.open(method, url, true);
   xhr.setRequestHeader("Content-Type", "application/json");
   body = {"session_token": session_token};
   xhr.send(JSON.stringify(body));
 };

Sample Response

In a successful response to a CORS request, the session_via_api_token endpoint simply sends a cookie which sets a session on the browser.

If the token is bad, the endpoint refuses the CORS request and the browser displays a “blocked by CORS policy” error message (whose content depends on the browser).

Usage Flows and Code Samples

See Logging a User In Via API.

---