AuthenticationPasswordsSDKs

Password Authentication with Backend SDKs

This guide is meant for developers that are NOT using Descope on the frontend to design login screens and authentication methods.

If you'd like to use Descope Flows, Quick Start should be your starting point. If you'd like to use our Client SDKs, refer to our Client SDK docs.

The Password-based authentication method lets you authenticate end users using a secret string of characters known only to the user.

Descope recommends using an email address as the user identifier; this allows you to utilize passwordless methods like Magic Link in addition to passwords. These methods could be used for authentication when users forget their password or need to reset it easily.

Use Cases

  1. New user signup: User Sign-Up returns a jwt for the user.
  2. Existing user signin: User Sign-In returns a jwt for the user.

Backend SDK

Install SDK

Terminal
npm i --save @descope/node-sdk
Terminal
pip3 install descope
Terminal
go get github.com/descope/go-sdk
// Include the following in your `pom.xml` (Maven)
<dependency>
    <artifactId>java-sdk</artifactId>
    <groupId>com.descope</groupId>
    <version>sdk-version</version> // Check https://github.com/descope/descope-java/releases for the latest versions
</dependency>
Terminal
gem install descope
Terminal
composer require descope/descope-php
Terminal
dotnet add package descope

Import and initialize SDK

import DescopeClient from '@descope/node-sdk';
try{
    //  baseUrl="<URL>" // When initializing the Descope client, you can also configure the baseUrl ex: https://auth.company.com  - this is useful when you utilize a custom domain within your Descope project.
    const descopeClient = DescopeClient({ projectId: '__ProjectID__' });
} catch (error) {
    // handle the error
    console.log("failed to initialize: " + error)
}
from descope import (
    REFRESH_SESSION_TOKEN_NAME,
    SESSION_TOKEN_NAME,
    AuthException,
    DeliveryMethod,
    DescopeClient,
    AssociatedTenant,
    RoleMapping,
    AttributeMapping,
    LoginOptions
)
try:
    # You can configure the baseURL by setting the env variable Ex: export DESCOPE_BASE_URI="https://auth.company.com  - this is useful when you utilize custom domain within your Descope project."
    descope_client = DescopeClient(project_id='__ProjectID__')
except Exception as error:
    # handle the error
    print ("failed to initialize. Error:")
    print (error)
import "github.com/descope/go-sdk/descope"
import "github.com/descope/go-sdk/descope/client"

// Utilizing the context package allows for the transmission of context capabilities like cancellation
//      signals during the function call. In cases where context is absent, the context.Background()
//      function serves as a viable alternative.
//      Utilizing context within the Descope GO SDK is supported within versions 1.6.0 and higher.
import (
	"context"
)

// DescopeBaseURL // within the client.Config, you can also configure the baseUrl ex: https://auth.company.com  - this is useful when you utilize a custom domain within your Descope project.

descopeClient, err := client.NewWithConfig(&client.Config{ProjectID:"__ProjectID__"})
if err != nil {
    // handle the error
    log.Println("failed to initialize: " + err.Error())
}
import com.descope.client.Config;
import com.descope.client.DescopeClient;

var descopeClient = new DescopeClient(Config.builder().projectId("__ProjectID__").build());
require 'descope'

@project_id = ENV['__ProjectID__']
@client = Descope::Client.new({ project_id: @project_id})
require 'vendor/autoload.php';
use Descope\SDK\DescopeSDK;
 
$descopeSDK = new DescopeSDK([
    'projectId' => $_ENV['__ProjectID__'],
]);
// appsettings.json

{
  "Descope": {
    "ProjectId": "__ProjectID__",
    "ManagementKey": "DESCOPE_MANAGEMENT_KEY"
  }
}

// Program.cs

using Descope;
using Microsoft.Extensions.Configuration;

// ... In your setup code
var config = new ConfigurationBuilder()
  .AddJsonFile("appsettings.json")
  .Build();

var descopeProjectId = config["Descope:ProjectId"];
var descopeManagementKey = config["Descope:ManagementKey"];

var descopeConfig = new DescopeConfig(projectId: descopeProjectId);
var descopeClient = new DescopeClient(descopeConfig)
{
    ManagementKey = descopeManagementKey,
};

User Sign-Up

For registering a new user, your application client should accept user information, including an email or phone number used for verification. The application client should then send this information to your application server. Signing up via password returns the user's JWT.

// Args:
//    loginId (str): The login ID of the user being signed up
const loginId = "email@company.com"
//    password (str): The new user's password
const password = "xxxxxx"
//    user (dict) optional: Preserve additional user metadata in the form of
const user = { "name": "Joe Person", "phone": "+15555555555", "email": "email@company.com"}

const resp = await descopeClient.password.signUp(loginId, password, user);
if (!resp.ok) {
  console.log("Failed to sign up via password")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully signed up via password")
  console.log(resp);
}
# Args:
#    login_id (str): The login ID of the user being signed up
login_id = "email@company.com"
#    password (str): The new user's password
password = "xxxxxx"
#    user (dict) optional: Preserve additional user metadata in the form of
user = { "name": "Joe Person", "phone": "+15555555555", "email": "email@company.com"}
#   audience (str | Iterable[str] | None): Optional audience to validate against the session token's aud claim 
audience = "xxxx"

try:
  resp = descope_client.password.sign_up(login_id=login_id, password=password, user=user, audience=audience)
  print ("Successfully signed up via password")
  print (resp)
except AuthException as error:
  print ("Failed to sign up via password")
  print ("Status Code: " + str(error.status_code))
  print ("Error: " + str(error.error_message))
// Args:
//    ctx: context.Context - Application context for the transmission of context capabilities like
//        cancellation signals during the function call. In cases where context is absent, the context.Background()
//        function serves as a viable alternative.
//        Utilizing context within the Descope GO SDK is supported within versions 1.6.0 and higher.
ctx := context.Background()
//    loginID (str): The login ID of the user being signed up
loginID := "email@company.com"
//    user (descope.User): Optional user object to populate new user information.
user := &descope.User{
  Name: "Joe Person",
  Phone: "+15555555555",
  Email: loginID,
}
//    password (str): The new user's password
password := "xxxxxx"
//   w: ResponseWriter to update with correct session details. You can return this to your client for setting the cookies which are used for session validation. This code should go into your application server route handling the verification of code.

resp, err := descopeClient.Auth.Password().SignUp(ctx, loginID, user, password, w)
if (err != nil){
  fmt.Println("Failed to sign up via password: ", err)
} else {
  fmt.Println("Successfully signed up via password", resp)
}
// Every user must have a loginID. All other user information is optional
String loginId = "email@company.com";
User user = User.builder()
    .name("Joe Person")
    .phone("+15555555555")
    .email(loginId)
    .build();
String password = "qYlvi65KaX";
LoginOptions lo = {
  customClaims: {
    claim1: 'yes'
  }
}
PasswordService ps = descopeClient.getAuthenticationServices().getPasswordService();

try {
  AuthenticationInfo info = ps.signUp(loginId, user, password, lo);
} catch (DescopeException de) {
  // Handle the error
}
# Every user must have a login_id and a password. All other user information is optional
login_id = 'desmond@descope.com'
password = 'qYlvi65KaX'
user = {
    name: 'Desmond Copeland',
    email: login_id,
}
jwt_response = descope_client.password_sign_up(login_id:, password:, user:)
 session_token = jwt_response[Descope::Mixins::Common::SESSION_TOKEN_NAME].fetch('jwt')

 refresh_token = jwt_response[Descope::Mixins::Common::REFRESH_SESSION_TOKEN_NAME].fetch('jwt')
$response = $descopeSDK->auth->password->signUp("loginId", "password123");
print_r($response);

User Sign-In

For authenticating a user, your application client should accept the user's identity (typically an email address or phone number) and password. The application client should send this information to your application server. Signing in via password returns the user's JWT.

// Args:
//    loginId (str): The login ID of the user being signed in
const loginId = "email@company.com"
//    password (str): The user's password
const password = "xxxxxx"

const resp = await descopeClient.password.signIn(loginId, password);
if (!resp.ok) {
  console.log("Failed to sign in via password")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully signed in via password")
  console.log(resp);
}
# Args:
#    login_id (str): The login ID of the user being signed in
login_id = "email@company.com"
#    password (str): The user's password
password = "xxxxxx"
#   audience (str | Iterable[str] | None): Optional audience to validate against the session token's aud claim 
audience = "xxxx"

try:
  resp = descope_client.password.sign_in(login_id=login_id, password=password, audience=audience)
  print ("Successfully signed in via password")
  print (resp)
except AuthException as error:
  print ("Failed to sign in via password")
  print ("Status Code: " + str(error.status_code))
  print ("Error: " + str(error.error_message))
// Args:
//    ctx: context.Context - Application context for the transmission of context capabilities like
//        cancellation signals during the function call. In cases where context is absent, the context.Background()
//        function serves as a viable alternative.
//        Utilizing context within the Descope GO SDK is supported within versions 1.6.0 and higher.
ctx := context.Background()
//    loginID: The login ID of the user being signed in
loginID := "email@company.com"
//    password (str): The user's password
password := "xxxxxx"
//   w: ResponseWriter to update with correct session details. You can return this to your client for setting the cookies which are used for session validation. This code should go into your application server route handling the verification of code.

resp, err := descopeClient.Auth.Password().SignIn(ctx, loginID, password, w)
if (err != nil){
  fmt.Println("Failed to sign in via password: ", err)
} else {
  fmt.Println("Successfully signed in via password", resp)
}
// Every user must have a loginID. All other user information is optional
String loginId = "email@company.com";
User user = User.builder()
    .name("Joe Person")
    .phone("+15555555555")
    .email(loginId)
    .build();
String password = "qYlvi65KaX";

PasswordService ps = descopeClient.getAuthenticationServices().getPasswordService();

LoginOptions lo = {
  customClaims: {
    claim1: 'yes'
  }
}
try {
  AuthenticationInfo info = ps.signIn(loginId, password, lo);
} catch (DescopeException de) {
  // Handle the error
}
jwt_response = descope_client.password_sign_in(login_id:, password:)
 session_token = jwt_response[Descope::Mixins::Common::SESSION_TOKEN_NAME].fetch('jwt')

 refresh_token = jwt_response[Descope::Mixins::Common::REFRESH_SESSION_TOKEN_NAME].fetch('jwt')
$response = $descopeSDK->auth->password->signIn("loginId", "password123");
print_r($response);

Update Password

Update a password for an existing logged in user using their refresh token.

// Args:
//    loginId (str): The login ID of the user who's information is being updated
const loginId = "email@company.com"
//    newPassword (str): The new password to use
const newPassword = "xxxxxx"
//    token (str): The session's refresh token (used for verification)
const token = "xxxxxx"

const resp = await descopeClient.password.update(loginId, newPassword, token);
if (!resp.ok) {
  console.log("Failed to update password")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully updated password")
}
# Args:
#    login_id (str): The login ID of the user who's information is being updated
login_id = "email@company.com"
#    new_password (str): The new password to use
new_password = "xxxxxx"
#    refresh_token (str): The session's refresh token (used for verification)
refresh_token = "xxxxxx"

try:
  descope_client.password.update(login_id=login_id, new_password=new_password, refresh_token=refresh_token)
  print ("Successfully updated password")
except AuthException as error:
  print ("Failed to update password")
  print ("Status Code: " + str(error.status_code))
  print ("Error: " + str(error.error_message))
// Args:
//    ctx: context.Context - Application context for the transmission of context capabilities like
//        cancellation signals during the function call. In cases where context is absent, the context.Background()
//        function serves as a viable alternative.
//        Utilizing context within the Descope GO SDK is supported within versions 1.6.0 and higher.
ctx := context.Background()
//    loginID: The login ID of the user who's information is being updated
loginID := "email@company.com"
//    newPassword (str): The new password to use
newPassword := "xxxxxx"
//    r: HttpRequest for the update call. This request should contain refresh token for the authenticated user.

err := descopeClient.Auth.Password().UpdateUserPassword(ctx, loginID, newPassword, r)
if (err != nil){
  fmt.Println("Failed to update password: ", err)
} else {
  fmt.Println("Successfully updated password")
}
// Every user must have a loginID. All other user information is optional
String loginId = "email@company.com";
String refreshToken = "xxxxx";
String newPassword = "qYlvi65KaXwegsd";

PasswordService ps = descopeClient.getAuthenticationServices().getPasswordService();

try {
  AuthenticationInfo info = ps.updateUserPassword(loginId, newPassword, r);
} catch (DescopeException de) {
  // Handle the error
}
# The refresh token is required to make sure the user is authenticated.
err = descope_client.password_update(login_id:, new_password: 'xyz123', token: 'token-here')
$response = $descopeSDK->auth->password->update("loginId", "newPassword123", "refreshToken");
print_r($response);

Replace Password

Replace a password with a new one. The old password is used to authenticate the user before replacing the password. If the user cannot be authenticated, this operation will fail.

// Args:
//    loginId (str): The login ID of the user who's information is being replaced
const loginId = "email@company.com"
//    oldPassword (str): The user's current active password
const oldPassword = "xxxxxx"
//    newPassword (str): The new password to use
const newPassword = "xxxxxx"

const resp = await descopeClient.password.replace(loginId, oldPassword, newPassword);
if (!resp.ok) {
  console.log("Failed to replace password")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully replaced password")
}
# Args:
#    login_id (str): The login ID of the user who's information is being replaced
login_id = "email@company.com"
#    old_password (str): The user's current active password
old_password = "xxxxxx"
#    new_password (str): The new password to use
new_password = "xxxxxx"
#   audience (str | Iterable[str] | None): Optional audience to validate against the session token's aud claim 
audience = "xxxx"

try:
  resp = descope_client.password.replace(login_id=login_id, old_password=old_password, new_password=new_password, audience=audience)
  print ("Successfully replaced password")
except AuthException as error:
  print ("Failed to replace password")
  print ("Status Code: " + str(error.status_code))
  print ("Error: " + str(error.error_message))
// Args:
//    ctx: context.Context - Application context for the transmission of context capabilities like
//        cancellation signals during the function call. In cases where context is absent, the context.Background()
//        function serves as a viable alternative.
//        Utilizing context within the Descope GO SDK is supported within versions 1.6.0 and higher.
ctx := context.Background()
//    loginID: The login ID of the user who's information is being replaced
loginID := "email@company.com"
//    oldPassword (str): The user's current active password
oldPassword := "xxxxxx"
//    newPassword (str): The new password to use
newPassword := "xxxxxx"

err := descopeClient.Auth.Password().ReplaceUserPassword(ctx, loginID, oldPassword, newPassword)
if (err != nil){
  fmt.Println("Failed to replace password: ", err)
} else {
  fmt.Println("Successfully replaced password")
}
// Every user must have a loginID. All other user information is optional
String loginId = "email@company.com";
String password = "qYlvi65KaX";
String newPassword = "sdgoh90"
PasswordService ps = descopeClient.getAuthenticationServices().getPasswordService();

try {
  AuthenticationInfo info = ps.replaceUserPassword(loginId, password, newPassword);
} catch (DescopeException de) {
  // Handle the error
}

# Replaces the user's current password with a new one
jwt_response = descope_client.password_replace(login_id: 'login', old_password: '1234', new_password: '4567')
 session_token = jwt_response[Descope::Mixins::Common::SESSION_TOKEN_NAME].fetch('jwt')

 refresh_token = jwt_response[Descope::Mixins::Common::REFRESH_SESSION_TOKEN_NAME].fetch('jwt')
$response = $descopeSDK->auth->password->replace("loginId", "oldPassword123", "newPassword123");
print_r($response);

Reset Password

Sends a password reset prompt to the user with the given login id according to the password settings defined in the Descope console.

Note

The user's email must be verified in order for the password reset method to complete.

// Args:
//    loginId (str): The login ID of the user who's password is being reset
const loginId = "email@company.com"
//    redirectURL (str): Optional parameter that is used by Magic Link.
const redirectURL = "http://auth.company.com/api/verify_magiclink"
//    templateOptions (TemplateOptions): Password reset email template options
const templateOptions = {"option": "Value1"}

const resp = await descopeClient.password.sendReset(loginId, redirectURL, templateOptions);
if (!resp.ok) {
  console.log("Failed to send password reset")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully sent password reset")
}
# Args:
#     login_id (str): The login ID of the user who's password is being reset
login_id = "email@company.com"
#     redirect_url (str): Optional parameter that is used by Magic Link.
redirect_url = "http://auth.company.com/api/verify_magiclink"
#   template_options (dict): email template options
template_options = {"option": "Value1"}

try:
  resp = descope_client.password.send_reset(login_id=login_id, redirect_url=redirect_url, template_options=template_options)
  print ("Successfully sent password reset")
  print (resp)
except AuthException as error:
  print ("Failed to send password reset")
  print ("Status Code: " + str(error.status_code))
  print ("Error: " + str(error.error_message))
// Args:
//    ctx: context.Context - Application context for the transmission of context capabilities like
//        cancellation signals during the function call. In cases where context is absent, the context.Background()
//        function serves as a viable alternative.
//        Utilizing context within the Descope GO SDK is supported within versions 1.6.0 and higher.
ctx := context.Background()
//    loginID: The login ID of the user who's password is being reset
loginID := "email@company.com"
//    redirectURL (str): Optional parameter that is used by Magic Link.
redirectURL := "http://auth.company.com/api/verify_magiclink"
//    templateOptions (TemplateOptions): Password reset email template options
templateOptions := map[string]any{"option": "Value1"}

err := descopeClient.Auth.Password().SendPasswordReset(ctx, loginID, redirectURL)
if (err != nil){
  fmt.Println("Failed to send password reset: ", err)
} else {
  fmt.Println("Successfully sent password reset")
}
// Every user must have a loginID. All other user information is optional
String loginId = "email@company.com";
String redirectUrl = "<redirect_url>";
PasswordService ps = descopeClient.getAuthenticationServices().getPasswordService();

try {
  AuthenticationInfo info = ps.sendPasswordReset(loginId, redirectUrl);
} catch (DescopeException de) {
  // Handle the error
}
# Start the reset process by sending a password reset prompt. In this example we'll assume
# that magic link is configured as the reset method. The optional redirect URL is used in the
# same way as in regular magic link authentication.
login_id = 'desmond@descope.com'
redirect_url = 'https://myapp.com/password-reset'
descope_client.password_reset(login_id:, redirect_url:)
$redirectURL = "https://example.com/reset";
$response = $descopeSDK->auth->password->sendReset("loginId", $redirectURL);
print_r($response);

Get Password Policy

Get the configured password policy for the project.

// Args:
//     None

const resp = await descopeClient.password.policy();
if (!resp.ok) {
  console.log("Failed to get password policy")
  console.log("Status Code: " + resp.code)
  console.log("Error Code: " + resp.error.errorCode)
  console.log("Error Description: " + resp.error.errorDescription)
  console.log("Error Message: " + resp.error.errorMessage)
}
else {
  console.log("Successfully retrieved password policy")
  console.log(resp)
}
# Args:
#     None

try:
  resp = descope_client.password.get_policy()
  print ("Successfully returned password policy")
  print (resp)
except AuthException as error:
  print ("Failed to return password policy")
  print ("Status Code: " + str(error.status_code))
  print ("Error: " + str(error.error_message))
// Args:
//    ctx: context.Context - Application context for the transmission of context capabilities like
//        cancellation signals during the function call. In cases where context is absent, the context.Background()
//        function serves as a viable alternative.
//        Utilizing context within the Descope GO SDK is supported within versions 1.6.0 and higher.
ctx := context.Background()

resp, err := descopeClient.Auth.Password().GetPasswordPolicy(ctx)
if (err != nil){
  fmt.Println("Failed to return password policy: ", err)
} else {
  fmt.Println("Successfully returned password policy", resp)
}
PasswordService ps = descopeClient.getAuthenticationServices().getPasswordService();

try {
  AuthenticationInfo info = ps.getPasswordPolicy();
} catch (DescopeException de) {
  // Handle the error
}
descope_client.get_password_policy(refresh_token)
$response = $descopeSDK->auth->password->getPolicy();
print_r($response);

Session Validation

The final step of completing the authentication with Descope is to validate the user session. Descope provides rich session management capabilities, including configurable session timeouts and logout functions. You can find the details and sample code for backend session validation here.

Checkpoint

Your application is now integrated with Descope. Please test with sign-up or sign-in use case.

Need help?
Was this helpful?
SparklesAsk AI about this pageArrowRight

Mobile SDKs

Add password authentication to your application using Descope Mobile SDKs. Read the detailed implementation guide with sample code.

Settings

Customize your password authentication settings with Descope.

On this page

Password Authentication with Backend SDKsUse CasesUser Sign-UpUser Sign-InUpdate PasswordReplace PasswordReset PasswordGet Password PolicySession Validation