See api-docs Menu

Create Session Via API Token

Post a session token to this API endpoint to start a session and set a cookie to log a user into an app.

This API endpoint works within a login flow in which your app server calls the Create Session Login Token API to generate a session token. The app login page posts the session token via the browser to the session_via_api_token endpoint, using either a form post or a CORS (Cross Origin Resource Sharing) request.

For detailed usage flows and examples that illustrate how this API works with the Create Session Login Token API to log in a user, see Logging a User in Via API.

Resource URL


Originally, the endpoint was https://admin.<us_or_eu>, but now that subdomains are mandatory and used for admin URLs, you should use the subdomain in the resource URL. We will continue to support admin.<us_or_eu> for the foreseeable future, but we recommend that you update your calls to use the subdomain.

Sample Request

HTML form post:

<!doctype html>
        <meta charset="utf-8">
        <p>Auth API Test</p>
        <form action=
         "https://{your_subdomain}" method="POST">
            <input type="hidden" name="session_token" value="{your session token value}">
            <input type="submit" placeholder="GO">
            <input id="auth_token" type="hidden">

CORS post:

If posted from the URL that was specified using the Custom-Allowed-Origin-Header-1 header when calling the Create Session Login Token API, the following will return a session cookie:

function makeCors(session_token) {
   var xhr = new XMLHttpRequest();
   xhr.withCredentials = true;
   method = "POST";
   var url = "https://<your_subdomain>";, url, true);
   xhr.setRequestHeader("Content-Type", "application/json");
   body = {"session_token": session_token};

Sample Response

In a successful response to a CORS request, the session_via_api_token endpoint simply sends a cookie which sets a session on the browser.

If the token is bad, the endpoint refuses the CORS request and the browser displays a “blocked by CORS policy” error message (whose content depends on the browser).

Usage Flows and Code Samples

See Logging a User In Via API.

Have a Question?

Have a how-to question? Seeing a weird error? Ask us about it on StackOverflow.

Found a bug? Submit a support ticket.

Have a product idea or request? Share it with us in our Ideas Portal.

StackOverflow discussions about "[onelogin] user login api"

  • 2

    Q: OneLogin session_via_api_token and Chrome

    Asked Nov 14 2016

    I am getting a session token via an ajax call. This in turn calls the API method $.post("onelogin.ashx?action=sessiontoken", data, function (s … is now logged in. session_via_api_token returns response header "Location" with my original page URL. In Chrome the user is not logged in and the response header "Location" is I have a feeling it is a problem with cookies but can't figure out what. Any ideas? …

  • 2

    Q: failing to receive onedrive oauth refresh_token when authenticating through SSO

    Asked Feb 12 2018

    this auth step. since they are using onelogin sso, they are redirected from onedrive to onelogin, they login to onelogin, and are redirected back to onedrive. Here they resume the oauth flow and … clear, the flow is: from app, attempt to oauth auth with onedrive get redirected to onelogin login to onelogin get redirected to onedrive grant permission for 3rd party app access get redirected back to app with access code exchange code for oauth tokens fail to receive refresh_token thanks! …

  • 1

    Q: onelogin api with php curl 401 unauthorized

    Asked Jul 06 2016

    I have a simple curl request to the onelogin api written in PHP. The request works fine with my parameters from my terminal and I am able to login my user, however the php version I run on server … = "Authorization: bearer: ". $a_token; curl_setopt($ch, CURLOPT_URL, ""); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true …

  • 1

    A: Accessing Third Party Apps After Creating A Session Via API Token

    Answered Mar 10 2017

    Two ways: If the app supports SP-initiated SAML, just navigate the user to the application and it'll do the whole SAML flow- App redirects to OneLogin - OL authenticates user (because you have a … -for-a-user Take note that you're probably going to want to use the optional flag that makes sure to redirect to your login page, not OL's if you've built a login facade. …

  • 1

    Q: Accessing Third Party Apps After Creating A Session Via API Token

    Asked Mar 10 2017

    wants: User logs into our website At which point we authenticate the user in our system, and One Login via the api. After the user logs into our dashboard, they can click an link and be redirected to … :// I've successfully used the access token to generate a session login token via --> …