Authentication overview

Stytch provides authentication services designed to enable passwordless and traditional login experiences for both consumer and business-to-business (B2B) applications. The platform offers various authentication factors and flows, allowing developers to integrate secure user verification without direct management of credential storage or complex cryptographic operations. Stytch's API is RESTful, enabling programmatic access to its authentication features, while SDKs simplify client-side and server-side integration across multiple programming languages and platforms, including Python, Node.js, and React.

The core principle behind Stytch’s approach is to minimize user friction during login while maintaining strong security postures. This is achieved through mechanisms like magic links, one-time passcodes (OTPs), and support for modern FIDO-based authentication methods, which aim to reduce reliance on passwords that are susceptible to phishing and brute-force attacks. The system handles user session management, multi-factor authentication (MFA) challenges, and single sign-on (SSO) integrations, abstracting much of the underlying complexity from the application developer. For detailed information on specific API endpoints and data models, refer to the Stytch API reference documentation.

Supported authentication methods

Stytch supports a range of authentication methods, catering to different security requirements and user experience preferences. These methods can be combined to implement multi-factor authentication (MFA) or adaptive authentication policies. The choice of method often depends on the application's target audience, compliance needs, and desired level of security versus convenience.

Method When to Use Security Level
Magic Links (Email) Passwordless login for web/mobile, reducing friction. Ideal for initial sign-up or returning users without passwords. Moderate (relies on email account security)
One-Time Passcodes (OTP) via Email Quick, passwordless verification. Suitable for account recovery, transaction confirmation, or general login. Moderate (requires email access)
One-Time Passcodes (OTP) via SMS Mobile-centric verification, often used for MFA or passwordless login where a phone number is primary identifier. Moderate to High (relies on phone network security)
WebAuthn (FIDO) / Passkeys Strong, phishing-resistant passwordless authentication using device biometrics or hardware keys. Recommended for high-security applications. High (cryptographically secure, device-bound credentials)
Biometrics (via SDKs) In-app authentication using device-native biometrics (Face ID, Touch ID). Enhances user experience and security on mobile. High (device-bound, user-specific)
OAuth (Google, Microsoft, etc.) Delegated authentication via third-party providers. Simplifies sign-up and login by leveraging existing accounts. Varies (depends on the identity provider's security)
SSO (SAML, OIDC) Centralized authentication for B2B environments, allowing employees to use corporate credentials. High (enterprise-grade identity management)
Passwords + MFA Traditional password-based login augmented with a second factor (e.g., OTP,Authenticator App). Moderate to High (MFA significantly improves security)

For implementing WebAuthn and Passkeys, Stytch aligns with the FIDO Alliance specifications, which aim to replace passwords with more secure, phishing-resistant credentials. This approach leverages public-key cryptography to verify user identity directly from their device.

Getting your credentials

To interact with the Stytch API, you need to obtain your project credentials, which typically include a Project ID and a Secret. These credentials are used to authenticate your application's requests to Stytch's backend services.

  1. Create a Stytch Project: Begin by creating an account and a new project within the Stytch Dashboard. Each project acts as a container for your application's authentication configuration.
  2. Locate API Keys: Navigate to the 'API Keys' section within your project settings in the dashboard. Here, you will find your Project ID and Secret. The Secret should be treated with the same confidentiality as a password, as it grants administrative access to your project's authentication services.
  3. Environment Management: Stytch provides separate API keys for different environments (e.g., Test and Live). It is recommended to use the Test environment keys during development and switch to Live keys only for production deployments. This separation helps prevent accidental modifications to production data during testing.
  4. Client-side Tokens: For client-side interactions, such as initializing Stytch SDKs in a web browser or mobile app, a public token or client-side token may be used. These tokens are generally safe to expose in client-side code as they only grant access to public-facing functionalities and do not expose sensitive backend operations. Refer to the Stytch client authentication documentation for specific guidance on client-side token usage.

Always store your Stytch Secret securely, ideally as environment variables or using a secrets management service, rather than hardcoding it directly into your application's source code.

Authenticated request example

Authenticating requests to the Stytch API typically involves using your Project ID and Secret. Many endpoints require an Authorization header with Basic Authentication, where the username is your Project ID and the password is your Secret. The following example demonstrates a common scenario: initiating a magic link login for a user via the Stytch /magic_links/email/login_or_create endpoint using a Node.js SDK.

Node.js Example (using Stytch Node.js SDK):


const stytch = require('stytch');

const client = new stytch.Client({ 
  project_id: process.env.STYTCH_PROJECT_ID,
  secret: process.env.STYTCH_SECRET,
  env: stytch.envs.test, // or stytch.envs.live
});

async function sendMagicLink(emailAddress) {
  try {
    const response = await client.magicLinks.email.loginOrCreate({
      email: emailAddress,
      login_magic_link_url: 'https://example.com/authenticate',
      signup_magic_link_url: 'https://example.com/authenticate',
      expiration_minutes: 30,
    });
    console.log('Magic link sent successfully:', response);
    return response;
  } catch (error) {
    console.error('Error sending magic link:', error);
    throw error;
  }
}

// Example usage:
sendMagicLink('[email protected]');

In this example, the stytch.Client is initialized with the Project ID and Secret, typically loaded from environment variables for security. The loginOrCreate method then sends an email containing a magic link to the specified address. Upon clicking the link, the user is redirected to the application's authentication callback URL, where the application can complete the authentication flow by exchanging the magic link token for a session token using another Stytch API endpoint.

Security best practices

When integrating Stytch or any authentication service, adhering to security best practices is essential to protect user data and maintain application integrity. Stytch's design inherently addresses many security concerns, but application-level practices are still critical.

  1. Secure Credential Storage: Your Stytch Project ID and Secret are highly sensitive. Never hardcode them directly into your application's codebase. Instead, use environment variables, secret management services (e.g., AWS Secrets Manager, Google Secret Manager), or secure configuration files that are not committed to version control.
  2. HTTPS Everywhere: Ensure all communication between your application and Stytch, as well as between your application and its users, occurs over HTTPS. This encrypts data in transit, preventing eavesdropping and man-in-the-middle attacks. Major cloud providers like AWS EC2 documentation and Google Cloud Compute Engine provide guidance on configuring SSL/TLS.
  3. Server-Side Authentication: Whenever possible, perform critical authentication steps (e.g., exchanging magic link tokens for session tokens) on your backend server. This prevents exposing sensitive operations or API keys to client-side environments, which are more vulnerable to tampering.
  4. Validate Callbacks and Redirects: When using magic links, OAuth, or SSO, always validate the callback URLs and redirect URIs to ensure they point to your legitimate application domains. This prevents open redirect vulnerabilities that could be exploited for phishing.
  5. Implement Session Management: Stytch handles session creation and validation. However, your application should manage session expiration, revocation, and proper invalidation upon logout. Regularly review Stytch's documentation on session management APIs.
  6. Error Handling and Logging: Implement robust error handling and logging for authentication failures. This helps identify potential attack attempts (e.g., brute-force) and allows for timely responses. Be cautious not to log sensitive user data or credentials in plain text.
  7. Rate Limiting: Apply rate limiting to authentication endpoints (e.g., login, sign-up, password reset) to mitigate brute-force attacks and prevent resource exhaustion. Stytch may apply its own rate limits, but client-side and server-side rate limiting adds an additional layer of defense.
  8. Regular Security Audits: Periodically review your authentication implementation and overall application security. Consider conducting penetration tests or security audits to identify and address vulnerabilities proactively.