Service Account Authentication Documentation

Complete guide to device authentication using localStorage

Manage Devices

Overview

The service account authentication system allows kiosks, tablets, and other devices to authenticate without interactive login. This system uses localStorage instead of cookies to store session tokens, making it compatible with all browsers and devices.

Key Features

  • Long-lived refresh tokens (1 year validity)
  • Session tokens stored in localStorage (not cookies)
  • Role-based access control (admin, staff, viewer, signintablet)
  • Centralized device management and revocation
  • No interactive login required for devices

How It Works

1

Device Provisioning

An administrator provisions a new device at /admin/devices, specifying the device name, identifier, and role. A long-lived refresh token is generated and shown once.

2

Token Exchange

The device exchanges the refresh token for a session token by calling /api/auth/device/token. The session token is stored in localStorage.

3

Session Validation

On each page load, the device validates its session token by calling /api/auth/device/validate. If valid, the user information is retrieved.

4

Access Control

The device's role determines what pages and features it can access. Permissions are checked on each request based on the authenticated user's role.

API Endpoints

POST/api/auth/device/token

Exchange a refresh token for a session token

View details

Request:

{
  "refresh_token": "your-refresh-token-here"
}

Response:

{
  "success": true,
  "session_token": "session-token-here",
  "expires_at": "2026-01-20T12:00:00Z",
  "user": {
    "id": 123,
    "name": "Device Name",
    "email": "device@serviceaccount.local",
    "role": "signintablet"
  }
}
POST/api/auth/device/validate

Validate a session token and get user information

View details

Request:

{
  "session_token": "your-session-token-here"
}

Response:

{
  "success": true,
  "valid": true,
  "user": {
    "id": 123,
    "name": "Device Name",
    "email": "device@serviceaccount.local",
    "role": "signintablet"
  },
  "session": {
    "sessionToken": "session-token-here",
    "expires": "2026-01-20T12:00:00Z"
  }
}

React Hooks

useDeviceAuth Hook

Complete authentication management including login, logout, and session validation.

const {
  isAuthenticated,
  isLoading,
  user,
  error,
  authenticateDevice,
  validateSession,
  logout
} = useDeviceAuth();

// Authenticate with refresh token
await authenticateDevice(refreshToken);

// Validate current session
await validateSession();

// Logout
logout();

useDeviceUser Hook

Simplified hook for getting current user information.

const { data: user, loading, error, refetch } = useDeviceUser();

if (loading) return <div>Loading...</div>;
if (error) return <div>Error: {error}</div>;
if (!user) return <div>Not authenticated</div>;

return <div>Welcome, {user.name}!</div>;

localStorage Keys

KeyDescription
device_session_tokenThe current session token used for authentication
device_session_expiresISO 8601 timestamp when the session expires
device_userJSON string containing cached user information

Security Best Practices

Store refresh tokens securely

Never commit refresh tokens to version control. Use environment variables or secure configuration management.

Revoke compromised tokens immediately

If a device is lost or a token is compromised, revoke it at /admin/devices and provision a new device.

Use appropriate roles

Assign the minimum required role for each device. Sign-in tablets should use the "signintablet" role, not "admin".

Monitor device usage

Regularly review the "Last Used" timestamp in the device management page to identify inactive or suspicious devices.

Testing & Debugging

Test Page

Use the test page to verify device authentication is working correctly:

Open Test Page

Status Page

View authentication status and page permissions:

Open Status Page