Session-less protected REST APIs

This article describes session-less services in the Loginapp REST API's protected REST API.

  • It applies to the following end-points:
  • All end-points under: /protected/my/.
  • The end-point /protected/secret-questions.

For most of the session-less protected REST APIs, there is a corresponding flow-based API in the Protected self-service REST APIs.
Whenever possible, prefer the flow-based variant over the services listed here.

Authentication and authorization

Requests to the session-less protected REST APIs need to be authenticated and authorized. The corresponding configuration is:

Loginapp >> REST Settings >> Request Authentication and Request Authorization.

  • Request Authentication: Defines how users or REST clients are authenticated (e.g. Basic Auth, client certificates, or OAuth tokens).
  • See Authentication of REST requests for more information about request authentication.

  • Access Controller: Defines what services are accessible by the authenticated user or REST client.
    • The following plugins are available:
    • "Resource Access Controller": role-based access policy based on REST resource paths (e.g. rules like " IF $user has role 'admin' THEN allow POST on path /protected/xxx")
    • "Enabling All Access Controller": use this plugin to disable authorization and allow all services to authenticated users.

You may use the Airlock Gateway (WAF)'s one-shot authentication flow to secure the protected API upfront.

  • This has the following security advantages:
  • Authentication enforcement and coarse-grained access control are done on the Airlock Gateway (WAF)
  • The API may be strictly enforced using the Airlock Gateway (WAF)s "API enforcement" feature

To do so, proceed as follows:

Service List



Configuration Path in Config Editor*

Password Change and Reset

Allows a user to change or reset the password.

User Self-Service Settings >> Password Settings

Email Change

Allows a user to change the stored email address. Involves sending an email to the user with a verification link or code.

User Self-Service Settings >> Email Self-Service

mTAN Self-Service

List stored MTAN numbers (mobile phone numbers), change MTAN meta-data (e.g. label), and change MTAN number (involves sending an OTP to the new number, and verifying it).

User Self-Service Settings >> mTAN Self-Service

Cronto Self-Service

Self-service to order Cronto activation letters.

User Self-Service Settings >> Cronto Self-Service

Secret Questions

List possible questions and store answers to secret questions.

User Token Settings >> Secret Question Settings

Device Token Registration

User Token Settings >> Device Registration Settings

User Information

Returns information about the authenticated user.

User Self-Service Settings >> mTAN Self-Service