Skip to main content


Read about the Authentication Service

The Authentication service (also known as AuthN service) provides a secure and reliable mechanism for verifying the identity of users. It does not grant access to resources. An application can grant access to resources based on the user's identity provided by Authn. Authentication is a vital component in nearly every application’s operations. Authentication means making sure that a person or device is who (or what) they claim to be and ensures that data is not exposed to the wrong person. In an application, authentication is most commonly used for login and access to restricted, personal, or more sensitive areas of the application. In the future, AuthN can be used for service-to-service authentication, API authentication, and much more.

Pangea’s AuthN service

Pangea’s AuthN service is a cloud-based authentication service that provides secure login, session management, and user management through hosted pages and APIs. The AuthN service allows you to build a low-friction authentication flow that meets your security requirements while also seamlessly matching the look and feel of your app and organization image.

Quick view

What it doesProvides secure login, session management, and user management via hosted pages and APIs
Supported Languages
  • Provides multiple authentication methods via:
    • Username & password
    • Social authentication (via OAuth)
    • Passwordless (WebauthN) (coming soon)
    • SAML2 (coming soon)
    • Passkeys (coming soon)
  • Require multi-factor authentication (MFA) for increased security:
    • SMS
    • Email magic links
  • Manage users from within the Pangea Console
  • Brandable hosted pages allow for customization to match your brand’s theme
  • Drop-in client-side components for more native integration of auth flows into your app
  • Easy integration with Secure Audit Log


The security and authentication-related terminologies are not limited to the following:

  1. Access control: The process of granting or denying access to a resource based on the verified identity of the entity.

  2. Authentication factors: The information or evidence used to prove the identity of the entity, such as a password, security token, or biometric data.

  3. Authentication protocols: The procedures used to verify the identity of the entity, such as username/password authentication, multi-factor authentication, or single sign-on (SSO).

  4. Auditing: The process of recording and monitoring authentication events to ensure the security of the system and detect any unauthorized access attempts.

  5. Callback URI: The callback URL is called by the social authentication provider after the OAuth process is complete. The account information is not returned to a callback, but a code via a callback is returned, and the code can be used to access account information.

  6. Code: A one-time use code that can be exchanged for login session information at the end of a login flow.

  7. Developer Environment Settings: The developer environment settings will help you get started with the AuthN service settings quickly in a non-production environment.

    • Use default redirect: The development redirect is a hosted page that stands in for your applications page. It shows authentication results after a login. When ready this should be updated to your application domain.
    • Use development OAuth credentials for social providers: The development OAuth credentials allow users to log in through shared OAuth applications. When ready this should be updated to use your own configured OAuth applications.


Do not move to the production environment with the developer settings configured.

  1. Identification: The process of identifying the entity requesting access, such as a username or email address.

  2. Identity management: The process of managing the identity and authentication of users within an organization or system.

  3. Multi-factor authentication (MFA): A security method that requires the user to provide two or more authentication factors to verify their identities, such as a password and a fingerprint scan.

  4. Password: A secret code or phrase that a user creates to authenticate their identity.

  5. Redirect URL: A redirect URL is a callback that is used to transfer control flow back to an application after performing some operations for the application.

  6. Session: A session represents a logged-in user. It is valid as long as the user is logged in. Sessions end when the user logs out or is logged out after the session lifetime is exceeded.

  7. Session token / Refresh token: A user token is a short-lived token for an active logged-in user. A session token is a long-lived token for a logged-in user. Refreshing a session generates a new user token.

  8. Single sign-on (SSO): A method that allows users to log in to multiple applications or systems with a single set of credentials.

  9. State: A random, unpredictable parameter chosen by the application and used to maintain state across multiple page loads during a flow. This parameter must be at least 8 characters long, and when received in callbacks, should be verified against the original value chosen by the application.

  10. Token: A token refers to a code that you pass along that proves your identity. For example, there are user tokens, session tokens, and service tokens.

  11. Two-factor authentication (2FA): A security method that requires the user to provide two authentication factors, typically a password and a one-time code sent to a device.

Key concepts

User tokens are provided after a user has been Authenticated through Pangea's AuthN service. Session tokens can be used to refresh the session or to log out of the session.

Pangea supports the following two types of user tokens:

Opaque user tokens

Opaque user tokens are a string of characters that are used as proof of authentication. The token has no data embedded in it, encrypted or encoded. The token represents additional data, and AuthN stores additional data about the token, but the token itself is just random data with no meaning of its own. In Pangea Console, Opaque user tokens are generated when a user logs in to the console and requests access to Pangea applications or services. The Opaque user token is then included in subsequent requests to authenticate and authorize the user. When the server receives the Opaque user token, it verifies that the token is valid and contains the necessary permissions to access the requested resource. Opaque user tokens are used in Pangea Console to provide secure and granular access control to Pangea applications and services. By using Opaque user tokens, Pangea Console can ensure that only authorized users can access and modify sensitive data within Pangea applications.

Use opaque user tokens
  1. User authentication: When a user logs in to a web application, an opaque user token for the logged-in user is created. The user token is used to authenticate the user for its lifetime, but its lifetime might be shorter than the session lifetime. The user can get a new user token by refreshing the session using the session token, while the session has not expired.

  2. Single sign-on: Opaque user tokens can be used to enable single sign-on (SSO) across multiple web applications. When a user logs in to one application, the opaque user token can be shared with other applications to authenticate the user across multiple systems.

  3. Revocation: Opaque user tokens can be revoked if a user logs out or if there is suspicious activity on their account. This helps to prevent unauthorized access to the user's account.

JSON Web Tokens (JWTs)

JWT is a token format. Tokens are used for authentication (proving identity) and are often used for making authorization decisions. JWTs can be useful in high-volume HTTP server scenarios because JWT verification can often be performed offline. AuthN returns and supports JWTs. After your user authenticates, the AuthN service can send you JWTs which include the data in the following format:

  • A header - Specifies what format the body is in, and information about how the body is signed
  • A payload - Contains who the user is and what they can do
  • A signature - Verifies that the token is valid

JWTs returned by the AuthN service are Base64 encrypted and you will need a JWT library to decode them. In general, a JWT contains three components: header, payload, and signature, and are self-contained. Self-contained means that a server receiving a JWT can exclusively use token details from a JWTs payload to verify without having to make other calls.

  • Self-contained
  • Cannot be revoked
  • Shorter expiration time
  • More complex to manage than session IDs
Use JWTs
  1. User authentication: When a user logs into a web application, the application generates a JWT token that contains user data and authentication information. The token is then used to authenticate the user for the duration of their session.

  2. Authorization: JWTs can be used to grant access to specific resources or actions within a web application. The token contains information about the user's identity and the application can use this information to determine whether the user is authorized to access a particular resource.

  3. Single sign-on: JWTs can be used to enable single sign-on (SSO) across multiple web applications. When a user logs in to one application, the JWT token can be shared with other applications to authenticate the user across multiple systems.

  4. Security: JWTs provide a means of authentication, but not authorization. Applications can authorize users to use information from JWTs, but JWTs themselves do not authorize it.


JWTs typically do not support revocation. Pangea does not support JWT revocation but recommends short lifetimes for JWT user tokens.

Libraries and packages

The following authentication libraries and packages are available:

Was this article helpful?

Contact us