In this Article

  1. What is Passwordless Login?

  2. Locating Passwordless Login

  3. Obtaining Your Security Key

  4. Creating a JSON Web Token (JWT)



What is Passwordless Login?

Passwordless login allows learners to access lessons or paths without providing authentication details by following URLs with an authentication token appended to them. They will be logged in without having to enter a password if the authentication token is valid. To turn on this feature, contact your Account Manager or email Support at support@lessonly.com.

Note: Ensure that you've set up another form of user management before using passwordless login.


Locating Passwordless Login

Once enabled, navigate to the Settings menu by clicking the gear icon in the upper right-hand corner, then select Passwordless Login.

After selecting Passwordless Login, the admin (or a user with company permission settings) will see this page:

To create an authentication token, the admin will need two pieces of information: a Security Key and a JSON Web Token (JWT). More on the latter in a moment!


Obtaining Your Security Key

Each company has a unique security key that digitally signs and generates an authentication token. This key will be used to authenticate users.

Note: Regenerating a security key will automatically invalidate previously generated authentication tokens.

You'll need this security key and a Lessonly user ID to generate a unique JSON Web Token (JWT). This token, in turn, will be appended to a content URL, turning it into a passwordless login URL.


Creating a JSON Web Token (JWT)

JSON web token is an open, industry standard for sharing security information between two parties, a client (customer) and a server (Lessonly). JWTs are signed using a cryptographic algorithm to ensure that claims cannot be altered after the token is issued.

To create a JSON web token, navigate to the JWT debugger and set the algorithm drop-down to HS256.

Under the Decoded column on the right side of the page, you'll see three text fields: header, payload, and verify signature.

Header should read as follows:


Edit the payload field to include one of your company's user IDs and the date on which the token will expire. The expiration date should be entered as a Unix timestamp. Your payload should look like this example:

Note: Lessonly user IDs can be located in the URL of the user's overview page.

In the Verify Signature pane, look for an HMACSHA256 function with a few parameters inside it. Copy your security key value from Lessonly's passwordless login page, then paste it into the parameter your-256-bit-secret.

Make sure this placeholder text is completely erased before pasting in the security key value.

💡 You won't need to select the checkbox ’secret base64 encoded’.

Now copy the Encoded value in the left column. This is the token you'll add after the "?auth-token=" query parameter for your passwordless lesson URL.

Your content URL should look like the example below:

https://subdomain.lessonly.com/lesson/123456?auth_token=9a9d4r4w.73eda.fae3rt


Users can follow URLs such as this one to access Lessonly content without entering a password. Once they've logged in, users can access their Learn tab and all other content in their accounts. Note that passwordless login is only an authentication method; it cannot be used to create new users.


Questions? Please email Support at support@lessonly.com 

Did this answer your question?