ZITADEL Docs
APIsCore ResourcesV2Session

CreateSession

Create Session

Create a new session with initial checks, metadata and challenges for further verification. A token will be returned, which is required for using the session as authentication, e.g. when authenticating an OIDC auth request or SAML request. Additionally, the session token can be used as OAuth2 access token to authenticate against the Zitadel APIs.

Required permissions:

  • session.write
POST
/v2/sessions

Request Body

application/json

checks?

The checks to be performed during session creation. Note that a user check can only be performed once per session and cannot be changed afterwards. Some checks require that the user is already checked, either in the previous or the same request. For example, a password check requires that the user is already checked. Other checks, like WebAuthN or IDP intent, require that the user is already checked and a challenge was requested in any previous request. On successful checks, the session's factors field will be updated.

metadata?

Custom key value list to be stored on the session.

challenges?

Challenges to be requested for further verification. The challenges will be created and returned in the response. The challenges can then be used for further checks with the following SetSession method.

userAgent?

Store information about the user agent of the client. This information is stored on the session and can be used for auditing or security purposes. Sessions can also be filtered by user agent information.

lifetime?string

Duration after which the session will be automatically invalidated. If not set, the session will not expire automatically and must be deleted manually. Note that an expired session cannot be used for authentication anymore, but will still be listed until it is deleted.

Formatduration
[key: string]?never

Response Body

application/json

application/json

curl -X POST "https://loading/v2/sessions" \  -H "Content-Type: application/json" \  -d '{}'
{
  "details": {
    "sequence": 0,
    "changeDate": "1s",
    "resourceOwner": "string",
    "creationDate": "1s"
  },
  "sessionId": "string",
  "sessionToken": "string",
  "challenges": {
    "webAuthN": {
      "publicKeyCredentialRequestOptions": {
        "property1": {},
        "property2": {}
      }
    },
    "otpSms": "string",
    "otpEmail": "string"
  }
}
{
  "code": "not_found",
  "message": "string",
  "detail": {
    "type": "string",
    "value": "string",
    "debug": {}
  }
}

Was this page helpful?

Session API

Previous Page

DeleteSession

Next Page