How do I auth via token?

[Mr-M1M3]

I want to authenticate an user only via token. How do I?

[ganigeorgiev]

The SDKs were not intended to be used this way, but here are 2 workarounds:

1. Update the store with the token and a dummy minimal required user data:

   client.authStore.save("YOUR_TOKEN", { verified: false });
   
   // you are now "authenticated"..
   await client.records.getList("example", 1, 50);

2. Set the authorization globally for the client using the client.beforeSend hook:

   const client = new PocketBase('http://127.0.0.1:8090');
   
   const token = "YOUR_TOKEN";
   
   client.beforeSend = function (url, reqConfig) {
       if (!reqConfig.headers['Authorization']) {
           reqConfig.headers['Authorization'] = 'User ' + token;
       }
   
       return reqConfig;
   };
   
   // you are now always "authenticated"..
   await client.records.getList("example", 1, 50);

[danielo515]

But where do you get that token to begin with?

[ganigeorgiev]

@danielo515 This is a very old discussion and the above Authorization header format is no longer valid.

The token is generated from the admin or auth collections authentication endpoint, for example https://pocketbase.io/docs/api-records/#auth-with-password.

If you need further help, please open a new discussion with more details about your use case.

[pchasco]

It think it would be beneficial to support authentication via JWT access token only. This would enable native applications to implement a native sign-in experience and send the access token with any request to PocketBase. The backend would only need how to verify the token and extract the user id. The client would be responsible for refreshing the token when/prior to expiration.

[benallfree]

@ganigeorgiev have you considered machine keys that can be generated from the admin and don’t expire but which can be revoked?

[ganigeorgiev]

@benallfree Yes, API keys were discussed in #342 (comment), but I'm not sure about this yet, since it will add another auth layer and may cause some confusion.

[safr-world]

I think we do exactly this at the moment, but with JWT tokens. PocketBase request is considered authenticated if it has a valid Authoriaztion: TOKEN header. You need the credentials only once in order to get a token. A refreshed token is generated from another active token.

Additionally, with the changes in PocketBase v0.8.0 SDK, you can now save only the token in the auth store and it will still be considered valid, aka:

client.authStore.save("YOUR_TOKEN", null);

/// after the above call all following requests will be authenticated with the provided token...

(I'm quite new to this)
Does this mean that the token never expires unless refreshed?

[ganigeorgiev]

Does this mean that the token never expires unless refreshed?

No, the token has its own exp claim. You can configure the tokens duration from the Admin UI > Settings > Token Options.

[safr-world]

Thanks!

[321mariomaio123]

But how can authenticate a user from the users collection, only with postman?

[ganigeorgiev]

Add an Authorization: TOKEN header.
If the above doesn't help or you have other questions please open a new Q&A discussion with more details about your use case.