Skip to Content
Authgate 1.7.0 is released 🎉
FeaturesAuth & SecurityLegacy Auth

Legacy Auth

Legacy authentication is the older method where credentials are sent with every single API request. Therefore, Token Auth is recommended instead.

How to Use It

Legacy Auth is off by default. Before using it, it must be enabled in your application settings in the Authgate dashboard.

Use LegacyAuthStrategy in your application. For complete implementation examples, see the SDK documentation.

How It Works Behind the Scenes

When you use legacy auth:

  1. Your app calls client.login() and stores the credentials
  2. For every request, the API client adds special headers:
    • x-api-username and x-api-password (for username/password)
    • OR x-api-license-code (for license codes)
  3. Authgate receives these headers and validates the credentials
  4. Authgate internally creates a 10-second session for the request
  5. The request is processed using this short-lived session

Under the hood, Authgate creates a temporary session for each legacy auth request. But since your app sends credentials with every request, you’re not benefiting from the security of reusable tokens - your credentials are still traveling over the network repeatedly.

Important Notes

  • Use Token Auth Instead: Unless you have a specific reason, use Token Auth for better security
  • HTTPS is Critical: Always use HTTPS to protect credentials in transit
Last updated on
Token AuthAnonymous Access