Visa Platforms Login

Start a Project Start a Project API Overview API Overview API Reference API Reference
Navigate to...
keyboard_arrow_down

Authentication Methods

The Visa Platforms Login API uses OAuth2 for client authentication and supports multiple user authentication methods, including username and password, multi-factor authentication, single sign-on, and guest authentication. It also provides session management, password management, and security features to protect user access and data.

OAuth2 Authentication

The Visa Platforms Login API uses OAuth2 for client authentication and authorization. All API requests require a valid Bearer token in the Authorization header.

Required Header Format:

Authorization: Bearer {access_token}

OAuth2 scopes determine the level of access granted to your application. Ensure your client credentials include the appropriate scopes for your intended operations.

User Authentication

The API supports multiple user authentication mechanisms:

Username and Password Authentication
Standard credential-based authentication using the /user/site/{siteId}/login endpoint. Users provide their username, password, and site identifier for authentication.
Multi-Factor Authentication (MFA)
Time-based One-Time Password (TOTP) authentication for enhanced security. Users can enroll in MFA using authenticator applications that generate time-sensitive codes.
Single Sign-On (SSO)
Integration with external identity providers through SSO mechanisms. The /oidc/userinfo endpoint supports OpenID Connect for federated authentication.
Guest Authentication
Passwordless authentication for guest users enrolled through one-click enrollment processes. Guest users must reset their password to gain full access.

Multi-Factor Authentication Implementation

MFA enhances security by requiring users to provide additional verification beyond their password:

MFA Enrollment Process:

  1. Initialize MFA setup using /user/mfa/totp/setup for users with NOT_ENROLLED status
  2. Users configure their authenticator app with the provided TOTP key
  3. Complete enrollment via /user/mfa/totp/enroll with a valid TOTP code
  4. MFA status changes to ENROLLED upon successful completion

MFA Login Process:

When MFA is enabled, users must provide their TOTP code during login using the otp and otpType parameters in the authentication request.

MFA Management:

  • Users can unenroll from MFA using /user/mfa/totp/unenroll
  • Administrators can remove MFA via /user/mfa/totp/unenroll/dashboard

Session Management

The API provides session management capabilities to maintain user authentication state:

Session Extension
Use /user/extend-login to extend active user sessions before expiration. This endpoint requires a valid user authentication token.
Session Validation
The /user/find endpoint validates current session status while retrieving user profile information.
Device Trust
The API supports device token management through the deviceToken and trustDevice parameters for enhanced security and user experience.

Password Management

The API provides comprehensive password management features:

Password Change
Users can change passwords using /user/change-password by providing both old and new passwords.
Password Reset
Password reset via passcode using /user/change-password-from-passcode. This method does not require the old password.
Passcode Delivery
Send password reset codes via email or SMS using /user/send-code or /user/send-passcode endpoints.
Compromised Password Check
Validate password security using /user/vba/compromised-password to check against known compromised credentials.

Security Considerations

Implement these security best practices when using the authentication features:

  • Token Management: Securely store and refresh OAuth2 tokens. Implement proper token expiration handling.
  • Rate Limiting: Implement client-side rate limiting for authentication attempts to prevent abuse.
  • Error Handling: Do not expose sensitive authentication details in error messages to end users.
  • HTTPS Only: Always use HTTPS for all authentication-related API calls to protect credentials in transit.
  • MFA Enforcement: Consider requiring MFA for high-privilege operations or sensitive account access.
  • Session Timeout: Implement appropriate session timeout policies based on your security requirements.

Common Authentication Flows

The API supports several authentication patterns depending on your integration requirements:

Standard Web Application Flow
Traditional username/password authentication with optional MFA for web-based applications.
Mobile Application Flow
Device token-based authentication with biometric or PIN fallback options for mobile applications.
Server-to-Server Flow
OAuth2 client credentials flow for backend system integration and administrative operations.
Guest User Flow
Simplified authentication for guest users with automatic enrollment and password reset requirements.