When a user logs in with AuthN, they establish two sessions: one with your app that expires periodically, and another with AuthN that can be used to refresh the app session. These are called the access token and refresh token, respectively.
During login, AuthN works to ensure that users may not enumerate users in your system. This means it will not declare which field was incorrect, but instead fails with a generic credentials error.
- Create a form where the user may enter their username and password and on optional TOTP MFA code (required if the user has completed MFA onboarding with their authenticator app).
- Submit the username, password and TOTP code to AuthN.
- If successful, the user will be logged in and can make authenticated requests to your app.