Mint a Session Token

post https://api.qoreid.com/v1/sessions

Mints a short-lived, single-use SDK session token scoped to exactly one product (collection) or one workflow. Your backend calls this endpoint, then hands only the resulting sdkSessionToken to your app — your client credentials never leave your server. From mobile SDK v2.0.0, this token is the only credential the SDK accepts. See the SDK Session Tokens guide.

🚧

Backend-to-backend only

Authenticate with HTTP Basic using your existing client credentials: Authorization: Basic base64(clientId:secret). Never call this endpoint from a browser or mobile client.

Headers

HeaderDescription
AuthorizationRequired. Basic base64(clientId:secret). For workflow sessions, use the flow client's credentials.
Content-TypeRequired. application/json
Idempotency-KeyOptional. Dedupes retries of the same mint request.

Body Params

FieldTypeDescription
typestringOptional. "collection" (default) or "workflow".
productCodestringRequired for collection sessions. The single product this session may run. Mutually exclusive with workflowId. See Product Codes.
workflowIdnumberRequired for workflow sessions. Mutually exclusive with productCode.
referencestringRequired. Your transaction reference.
subjectRefstringOptional. Pseudonymous identifier for the subject — do not include PII.
ttlSecondsnumberOptional. Token lifetime in seconds; server-capped.
maxAttemptsnumberOptional. Maximum redemption attempts; server-capped.

Example — collection session

{
  "productCode": "liveness",
  "reference": "integrator-txn-8842",
  "subjectRef": "user-internal-1192",
  "ttlSeconds": 120,
  "maxAttempts": 3
}

Example — workflow session

{
  "type": "workflow",
  "workflowId": 123,
  "reference": "integrator-txn-8842"
}

Response — 201 Created

{
  "sessionId": "sess_...",
  "sdkSessionToken": "<JWT to hand to the device>",
  "type": "collection",
  "productCode": "liveness",
  "expiresAt": "2026-06-11T14:32:10.000Z"
}

productCode is present for collection sessions; workflowId is present for workflow sessions. Pass only sdkSessionToken to your app.

Errors

CodeMeaning
400Missing/unknown productCode, or productCode/workflowId not valid for the session type
401Invalid clientId/secret
403Not subscribed to the product / credentials not valid for the workflow
503Authentication service temporarily unavailable