Trusted Authentication
Overview
Authentication is the process of verifying the phone number associated with that User profile through an SMS code. This is how Astra Authenticates Users before they Authorize your Client. Any action by the User in Astra’s SDK requires an active, non-expired Authentication.
Re-Authentication is required when the User changes their phone number or is using Astra on a new device
Trusted Authentication is a joint solution developed by Astra and trusted Clients that enables access to Astra for all Users who have successfully completed mobile 2FA with a Client, providing a more streamlined onboarding experience. If a User has Authenticated with your Client in the last 30 days, Astra will “trust” this Authentication and allow the User to bypass the Authentication step prior to providing an Authorization for your Client.

Astra's Authentication Service
Approval
Trusted Authentication requires a level of trust between your company and Astra. In order to ensure a high level of security for all parties, Astra requires all trusted Clients to fill out an Authentication security questionnaire.
- Do you use phone number / mobile 2FA to authenticate your Users? If not, please share how.
- When do you Authenticate Users? ex: During onboarding? When a phone number changes? When they add or change sensitive information?
- When do you Re-authenticate Users?
- How long does an authenticated User's session last? ex: 15 minutes, 24 hours, 1 week, 30 days
Client Configuration
Your Client will need to provide a secure API endpoint that Astra can access to retrieve customer information, which must include a last Authenticated time and phone number that matches the Astra UserIntent or User phone number details. Once that has been approved, Astra will enable your Client for Trusted Authentication.
Example Endpoint
Endpoint: GET /v1/customers/123456
Example Response:
{
"customer_id": "123456",
"first_name": "Jane",
"last_name": "Doe",
"phone": "+15555551234",
"last_authentication_time": "2023-01-01T13:47:13.920Z"
}
Trusted Authentication Flow
Step 1: Generating a Partner Identity Verification Token
The first step in Authenticating a User is generating a short-lived (1 minute), one-time-use Partner Identity Verification Token. In order to generate a token, your Client must provide a customer_id from your system (to be verified by Astra), as well as the Astra user_id, user_intent_id, or business_profile_id of the User.
Client Request
Endpoint: POST /v1/partner/identity/verification Headers: {
"Content-Type": "application/json", "Accept": "application/json", "Authorization": "Basic \*\*\*\*",
}
{
"provider": "ClientXYZ", "provider_data": {
"customer_id": "123456" },
"client_id": "client_123456",
"user_id": "user_123456",
"user_intent_id": "user_intent_123456", "business_profile_id": "busines_profile_123456"
}
Astra Response
{
"token": "token_123456"
}
Only provide one of
user_id
,user_intent_id
, orbusiness_profile_id
Provide a
user_intent_id
if you are signing up the User for Astra’s services (Authorizing)
Provide a
user_id
if you are signing them in (Authenticating)
Provide a
business_profile_id
if you are signing up a business user (Authorizing)
Step 2: Authenticating a User
Once your Client has a Partner Identity Verification Token, the User should be directed to the Astra Web SDK with the following query string parameters.
Parameter | Required | Description |
---|---|---|
session_token | required | the Partner Identity Verification Token string |
user_intent_id | required | required when initially onboarding a personal user |
business_profile_id | required | required when initially onboarding a business user. |
client_id | required | your Developer Client ID. |
user_id | optional | user_id used in the initial token creation request. |
Example with Query Strings
- https://app.astra.finance/login/oauth/authorize?session_token=token_123456&client_id=client_123456&user_id=user_123456&redirect_uri=https://redirect.com/&response_type=code
- https://app.astra.finance/login/oauth/authorize?session_token=token_123456&client_id=client_123456&user_intent_id=user_intent_123456&redirect_uri=
https://redirect.com/&response_type=code - https://app.astra.finance/login/oauth/authorize?session_token=token_123456&client_id=client_123456&business_profile_id=business_profile_123456&redirect_uri=https://redirect.com/&response_type=code
Updated about 1 month ago