About this section

In the Authentication section, you will find all the information about security and authentication on Smag Link APIs.

Log in within my application

How does it work?


How to process ?

STEP 1 : Get an applicationId

To get an applicationId, please contact SMAG at developers@smag.tech.

Our team will need a callback url to configure the authentification process.

STEP 2 : Get a login url

Use the Request a redirection URI for the Smag account Login page POST endpoint


STEP 3 : Display the login page


STEP 4 : Get the token

Use the token you will retrieve to call Smag Link APIs within your application.

Refresh a token

The token you got using the authentication process will expire after 24 hours.

You can refresh this token using the Renew a token after its expiration endpoint.





SMAG authentication works with an RS256 encryption algorithm.

RS256 (RSA signature with SHA-256) is an asymmetric algorithm and uses a public / private key pair: the identity provider has a private key (secret) used to generate the signature and the consumer of the JWT obtains a public key validate Signature. Because the public key, unlike the private key, does not need to be secure, most identity providers make it easily available and accessible to consumers (usually via a metadata URL).


Connection to a SMAG account in two steps:

  • User authentication, performed by a third party: security guarantor (password strength, brute force attack, confidentiality, uniqueness of a login / password)

  • Retrieving login information and redirection to the application with a token. This token allows you to open a work session.