Trusted Authentication is a solution developed by Astra and trusted clients that enables access to Astra for all users who have already successfully completed 2FA with a client, providing a frictionless onboarding experience. If an end-user has authenticated with your client in the last 30 days, Astra will “trust” this authentication and allow the user to bypass the authentication step in our SDK.

Approval and Client Configuration

Getting set up with Trusted Authentication is simple:
Before you can start using Trusted Auth, you’ll need to send your customer success rep representative an email indicating that you’d like your client to be enabled for "Trusted Authentication". Your client will need to have an API that Astra can access to retrieve customer information, which must include a last authenticated time and phone number that matches the Astra UserIntent or User record. Once that has been approved, Astra will enable your client for Trusted Authentication.

Example Astra Request

Endpoint: GET /v1/customers/123456

Example Client Response

  "customer_id": "123456",
  "first_name": "Jane",
  "last_name": "Doe",
  "phone": "+15555551234",
  "lastAuthenticationTime": "2023-01-01T13:47:13.920Z"

Generating a Partner Identity Verification Token

The first step in authenticating a user is generating a short-lived (1 minute), one-time-use Partner Identity Verification Token. In order to generate a token, your client must provide a customer_id from your system (to be verified by Astra), as well as the Astra user_id or user_intent_id of the user.

Client Request

Endpoint: POST /v1/partner/identity/verification

  "provider": "Unit",
  "provider_data": {
    "customer_id": "123456"
  "user_id": "user_123456",
  "user_intent_id": "user_intent_123456"

Note: A user_id or user_intent_id is required, but not both.

Astra Response

  "token": "token_123456"

Authenticating a User

Once your client has a Partner Identity Verification Token, the user should be directed to the Astra Web SDK with the following query string parameters.


session_tokenrequiredthe Partner Identity Verification Token string
user_intent_idrequired*required if a user_intent_id was used in the initial token creation request
client_idrequiredyour Developer Client ID
user_idoptionaluser_id used in the initial token creation request


Example with Query Strings