Today, we’re excited to announce the launch of the Stormpath Client API, a brand new set of tools for frontend and mobile developers using Stormpath. As the ways in which developers build applications have evolved, we’ve worked hard to evolve with them. The Client API complements the backend focused Stormpath REST API, allowing frontend and mobile developers to enjoy a first-class developer experience. This launch also includes brand new versions of all our client SDKs: Angular, React, iOS, or Android.

The Stormpath Client API for Mobile and Frontend Developers

Screen Shot 2017-01-19 at 5.36.10 PM

Access to the Stormpath REST API normally requires that your application pass an administrative API Key for each request. This restricts usage to server-side applications. With the Client API, basic user registration and authentication tasks can be performed without that administrative API key. For example, frontend and mobile applications can use the endpoints exposed by the Client API to authenticate a user and get an access token in return.

For teams building backends with a monolithic, microservices, or even serverless architecture, the Client API fits right in. You no longer have to host API endpoints to authenticate mobile and frontend clients, or add the operational overhead of hosting an authentication service. Our team deploys and monitors the Client API, ensuring high availability and responsive service.

Many development teams rely on Stormpath for more than just authentication, and the Client API is designed to work in tandem with other Stormpath services. After frontend clients authenticate with the Client API, other services can authorize access to user data and in the near future, power other key workflows.

We think the Stormpath Client API is a more intuitive experience for frontend and mobile developers, and we’re excited to see what you build with it!

Authenticate Users with the Client API

In the Stormpath Admin Console, you’ll see a new policy attached to each application: the Client API policy. New apps using Stormpath automatically have the Client API enabled, but you’ll have to enable the Client API for existing apps. Once you do, you’ll have the ability to pick a Client API domain name. The domain allows you to customize the URL in which the Client API is hosted. I’ve picked for my Client API:

Client API Setup

This domain will host API endpoints for registration, login, and password reset flows. These endpoints are fully configurable with the Client API policy. For instance, you can disable registration if your application is invite-only, or choose to expose your user’s groups on the user data endpoint.

To authenticate against Stormpath, you can make a standard OAuth call to an application, and get an access and refresh token. This access token is a standard Stormpath access token, signed by the API key selected in your Client API Policy.

Access User Data with the Client API

With the access token, you can perform basic tasks with the Client API. For instance, I can grab my account’s data with a request to the /me endpoint:

Just like the other endpoints, this is fully configurable, and you can decide to expose custom data, groups, and other fields from the user account in the Client API.

Authorize Requests with Your Backend

With an access token from the Stormpath, your web services still need to authenticate and authorize the end user. The access token proves that the user has authenticated with the Client API, and just as always, you can use our helpers to validate the Stormpath access token and protect access to your API endpoints. Data exposed by Stormpath can then be used to make authorization decisions, such as group checks or for multi-tenancy. Using the Client API leaves you with access to all of Stormpath’s powerful functionality, and SDKs that make authentication and user management feel like a native part of your backend application.

For platforms without Stormpath SDKs, you can still use a standard JWT library to validate the access token, and call our REST API directly to retrieve user data. Other untrusted services can also validate tokens against Stormpath using the /me endpoint as discussed earlier, and interact with your user data securely.

Try the Client API Today!

Want to learn more about the Client API? Read the Client API documentation, or use the Client API via the new Angular, React, iOS, or Android SDKs!

We’re excited to see what you build with the Client API. We hope that frontend and mobile teams will be able to build applications faster while maintaining the level of security your team expects from Stormpath. Backend developers will love the reduced overhead of authenticating straight from the frontend. They’ll no longer have to manage, test, and deploy API endpoints for authentication.

Over the next few months, you can expect to see us expand the functionality of the Client API and more to help your teams build applications even faster. Stay tuned!