Token Management

How the Android SDK manages your user's tokens

Use Passage Token Store

When you create an instance of Passage you also get an instance of PassageTokenStore , unless you choose to opt out of this functionality (see Manage tokens yourself).

Get auth token

You can access the current auth token this way:

val token = passage.tokenStore.authToken

Get refreshed auth token

If you've setup refresh tokens in your app (strongly recommended), the Passage Token Store handles refreshing the auth token for you before it expires. If you have short lived auth tokens, it is highly recommended you use the getValidAuthToken suspend method instead of the above property, so you don't have to worry about using an expired token.

suspend fun exampleGetRequest() {
    val token = passage.tokenStore.getValidAuthToken()
    // Use token

How are tokens stored?

Your user's auth token and refresh token are both stored on device using Android's own Encrypted Shared Preferences library. When you sign out your user, the tokens are revoked on the server and removed from the device.

Manage tokens yourself

If you would prefer to manage tokens yourself and not use Passage Token Store, simply copy and paste this into your app's strings.xml file:

<string name="use_passage_store">false</string>

Note that you will not be able to access passage.tokenStore when you set this.

Get tokens from auth methods

Any successful authentication call you make (see Passkey Authentication and Email/SMS Authentication) returns a PassageAuthResult which contains your user's auth token and refresh token.

For example:

suspend fun login() {
    try {
        val authResult = passage.loginWithPasskey()
        val authToken = authResult.authToken // String
        val refreshToken = authResult.refreshToken // String?
        val expiration = authResult.refreshTokenExpiration // Int?
    } catch (e: LoginWithPasskeyException) {
        // ..

You can then store and mange them however you choose.

Authenticate PassageUser requests

To make a request on a PassageUser like user.changeEmail(newEmail) you'll first need to provide that auth token to the Passage class.

val user = passage.getCurrentUser()
user.changeEmail("[email protected]")

Refresh and revoke tokens

You can use the PassageToken methods to refresh or revoke tokens like this:

suspend fun getNewTokens(oldRefreshToken: String) {
    try {
        val authResult = PassageToken.refreshAuthToken(oldRefreshToken)
        val newAuthToken = authResult.authToken
        val newRefreshToken = authResult.refreshToken
        val newExpiration = authResult.refreshTokenExpiration
    } catch(e: PassageTokenException) {
        when (e) {
            is PassageTokenUnauthorizedException -> {
                // Refresh token is no longer valid

suspend fun revokeToken(refreshToken: String) {
    try {
    } catch (e: PassageTokenException) {
        // ..

Last updated