post https://api.qoreid.com/v1/sessions
Mints a short-lived, single-use SDK session token scoped to exactly one product (collection) or one workflow. Your backend calls this endpoint, then hands only the resulting sdkSessionToken to your app — your client credentials never leave your server. From mobile SDK v2.0.0, this token is the only credential the SDK accepts. See the SDK Session Tokens guide.
Backend-to-backend onlyAuthenticate with HTTP Basic using your existing client credentials:
Authorization: Basic base64(clientId:secret). Never call this endpoint from a browser or mobile client.
Headers
| Header | Description |
|---|---|
Authorization | Required. Basic base64(clientId:secret). For workflow sessions, use the flow client's credentials. |
Content-Type | Required. application/json |
Idempotency-Key | Optional. Dedupes retries of the same mint request. |
Body Params
| Field | Type | Description |
|---|---|---|
type | string | Optional. "collection" (default) or "workflow". |
productCode | string | Required for collection sessions. The single product this session may run. Mutually exclusive with workflowId. See Product Codes. |
workflowId | number | Required for workflow sessions. Mutually exclusive with productCode. |
reference | string | Required. Your transaction reference. |
subjectRef | string | Optional. Pseudonymous identifier for the subject — do not include PII. |
ttlSeconds | number | Optional. Token lifetime in seconds; server-capped. |
maxAttempts | number | Optional. Maximum redemption attempts; server-capped. |
Example — collection session
{
"productCode": "liveness",
"reference": "integrator-txn-8842",
"subjectRef": "user-internal-1192",
"ttlSeconds": 120,
"maxAttempts": 3
}Example — workflow session
{
"type": "workflow",
"workflowId": 123,
"reference": "integrator-txn-8842"
}Response — 201 Created
201 Created{
"sessionId": "sess_...",
"sdkSessionToken": "<JWT to hand to the device>",
"type": "collection",
"productCode": "liveness",
"expiresAt": "2026-06-11T14:32:10.000Z"
}productCode is present for collection sessions; workflowId is present for workflow sessions. Pass only sdkSessionToken to your app.
Errors
| Code | Meaning |
|---|---|
| 400 | Missing/unknown productCode, or productCode/workflowId not valid for the session type |
| 401 | Invalid clientId/secret |
| 403 | Not subscribed to the product / credentials not valid for the workflow |
| 503 | Authentication service temporarily unavailable |