Setting up an application

Integrate your blog, site or application with UNLOQ


The Authentication settings page allows you to define various aspects of your application's authentication requests and limitations.

Depending on the implementation type, the user will either be redirected to the login widget URL along with the authentication token in the query string under ?token=, or will pass the token to the JavaScript call that initiated the login process.

You must choose the one of the available authentication mechanisms between these three options:

  • The only authentication mechanism
  • As an alternative authentication mechanism
  • As the second factor

Furthermore, you will choose one or more authentication methods, depending on the desired level of security.

UNLOQ currently offers 3 authentication methods: via PUSH, OTP or E-mail login. PUSH authentication is enabled by default and will always be available for the user. You can choose secondary optional authentication methods for each of your applications.

Phone authentication (default)

When a user authenticates to your application using his phone via push notifications (the default login method, called UNLOQ), he is required to have his phone connected to the Internet and at his side. Once he enters his credentials (e-mail and additional device token, see above), a push notification will be routed to his device, describing the authentication request.

Once the user verifies the request, he may chose to approve or deny it. An approved request will generate an authentication access token.

Time-based one time password

This method allows users to authenticate with UNLOQ, using only their e-mail and their associated device token. It is best used when the user has no Internet connection on his device. It may be considered an offline login solution.

The device token is a time-based one-time-password, based on RFC-6238, reset once every minute. As this is an offline authentication method, users will not be able to perform remote logout.

E-mail login

This method is used by UNLOQ to authenticates users by sending an e-mail containing a unique URL. Once the user enters the URL, an authentication access token is generated and the user is redirected to the login url. As this should be the final resort of a user, the generated link is only available for 2 minutes, after which it expires. This method is exclusive to applications and cannot occur in a server-to-server authentication call.

Although this authentication method does not generally require users to have their device with them, to prevent spammy requests, the first time the user logs in from a new browser, they are requested to enter his device token. Once a successful authentication occurs, any subsequent login from the browser will not require the user to enter any additional information.

Authentication texts

Both the title and the message of an authentication action can contain variables that can be used in tandem with the authentication endpoint. Whenever we want to use variables in the authentication request we will always provide them inside the POST data.

The text you provide here will be sent out on each authentication request to the user's device, so that you can specify a customizable message for each of your applications. You can specify the text for the Push notification and the Authentication.

Authentication texts

The text you provide here will be sent out on each authentication request to the user's device, so that you can specify a customizable message for each of your applications.

Have a question? You can always send us an email at, or contact us on chat.

For security related concerns, please visit our Security page.