Guide
Start typing to search…

Session Creation Flow

Developer's Frontend
    ↓
Calls Backend API (/api/wink/session)
    ↓
Developer's Backend
    ↓
Calls Wink Session API (with credentials)
    ↓
Wink Backend
    ↓
Returns sessionId
    ↓
Developer's Backend
    ↓
Returns sessionId to Frontend
    ↓
Frontend includes sessionId in authorization URL

🔒

CRITICAL SECURITY:

  • Session creation MUST be done server-side
  • NEVER call the Wink Session API directly from the browser
  • NEVER expose clientSecret or credentials in client-side code
  • Always use a backend API endpoint as a proxy

Session ID Usage

Once you have the sessionId from your backend, create the Wink client with it in the configuration and then start the login flow. The SDK will automatically include the sessionId in the authorization URL.

1. Get the sessionId from your backend

Example request to your backend:

const session = await fetch(
  "/api/wink/session?" +
    new URLSearchParams({ returnUrl, cancelUrl })
).then((r) => r.json());

const sessionId = session.sessionId;

2. Create the client with the sessionId and initialize login

const client = getWinkLoginClient({
  clientId,
  realm,
  cancelUrl,
  sessionId,
  ...
});

client.winkInit({
  onLoad: "login-required",
  ...
});

The SDK will automatically attach the sessionId to the authorization request during the login flow.


📘

See: Backend Integration - Session Creation API for endpoint details.


Updated 25 days ago