Now that you have successfully created Linked Accounts for your end-users, it’s time to create Session Tokens for your clients. The token creation should always happen server side. Session tokens are used to protect your Cobalt API key and make it easier to manage your end customers’ tokens. When your client makes a request to the Cobalt APIs, it must include the session token in the request header. The Cobalt APIs will then use the session token to authenticate the request and grant access to the requested resources. To generate Session Token for a Linked Account, you can use the Cobalt API or Cobalt’s Client Side SDK.

Cobalt API/SDK for Session Token

  1. Request : In your server side code, make a POST Request to the /session-token endpoint or call the .getTokenForLinkedAccount() method of the NodeJS SDK. The request should include the linked-account_id of the user for which the Session token is to be generated.
The session token gets expired in 24 hours. Please make sure you generate a new token in every new session or within 24 hours.
    curl --request POST \
  --url https://api.gocobalt.io/api/v2/public/session-token \
  --header 'Content-Type: application/json' \
  --header 'x-api-key: <api-key>' \
  --data '{
  "linked_account_id": "<string>"
}'
  1. Handle the response: Cobalt will respond with a JSON Object containing the token if request was successful. Parse the JSON response body and extract the token.
Response
{
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcmdfaWQiOiI2M2M5M2RhMGI0NmI3MjQzNzg1YTFlMTciLCJsaW5rZWRfYWNjb3VudF9pZCI6IjEyMzQ1Njc4IiwiZW52aXJvbm1lbnQiOiJ0ZXN0IiwiaWF0Ij"
}
  1. Store the Session token: It is critical to store Session tokens securely, as they grant access to sensitive user data. Implement a secure storage solution to store Session tokens and do not log or expose tokens to your frontend application.
  2. Handle Errors: If the /session-token endpoint returns a 500 error, your server-side code should handle it gracefully. The error is returned due to providing an incorrect linked_account_id while making the request.

Checkpoint + Next Step

After completing this step, you now have the Session Token for your Linked Accounts. But before you make the API Calls, first let’s Display the apps/integrations on Client-side.