Skip to content

Push Login⚓︎

By using push messages, a server-side application can actively push a login request to one or more mobile devices. The table below shows an overview of the three different types of push logins that can be used.

Push Login Call Description
provokeLogin Push login to the account that performed that latest successful login for the current session.
provokeLoginOnUser Push login to all accounts of a given user.
provokeLoginOnAccount Push login to a specific account.
WebSocket Equivalent to the provokeLogin API call, but triggered through the WebSocket


Each of the push login API calls requires a session identifier to which the authentication will be performed. In the case of provokeLogin the session identifier is also used to check the latest successful login, which determines the account where the push login will be sent to.

Each of the push login API calls can optionally also take a UserContext JSON object, including additional session information.

Choosing the Right Push Login Method⚓︎

The calls provokeLoginOnUser and provokeLoginOnAccount require a reference to respectively a user and an account. You should not rely on non-authenticated user input to determine the user/account to push a login to, as this can result in users receiving arbitrary push messages. Both calls can be used when a different authentication method is used first, as this gives some certainty about the user/account to push the login to.

In most cases provokeLogin is the recommended push method, as it will only work when a user has been previously logged in in the same session. To check if a push login with provokeLogin is possible, getSession can be called to retrieve LoginStatus.canprovoke. LoginStatus.canprovoke will only be true when a previous successful login was done on the session and, as a consequence, pushing a login is possible.


Through the WebSocket exposed by the nextAuth Server, one can also do a push login (based on the current session, equivalent to provokeLogin API call). Simply add a function provoke to the script listed here, which can then be triggered throughout the hosting page.

provoke: function(serverid, nonce){
    nextAuth.wssend("PROVOKE " + nonce + " " + serverid);

The function wsreceive also receives a cmd for changes with respect to the push login status: CONFIRMPROVOKE (when the user has received the push notification on the mobile) and CANPROVOKE (if one can do a push login based on the current session, equivalent to the canprovoke in the response from the getSession API call).