Anonymous endpoint

The Anonymous endpoint is a non-authenticated endpoint that is used by some authenticators to provide out-of-band access to the authenticator. A good example is the SMS authenticator that allows the user to click a hyperlink in the SMS to move the authentication forward. This requires the phone to access an endpoint without having a session or being in an authentication flow on that device. The SMS authenticator therefore exposes this link on the anonymous endpoint where no such requirements exist.

Transaction Metadata route

The Transaction Metadata route is a route on the anonymous endpoint that always exist. It is located under transaction-metadata under the configured path for the endpoint. This endpoint contains information about the current ongoing authentication or registration transaction. This is tied to the current session cookie that is tied to the user’s browser. By querying this api using Javascript Ajax, it’s possible for the client-side to find out things that happens.

Typical information that can be found is

  • What URL did the user enter to start the transaction

  • What events have occured

    • Account activated
    • Authentication
    • Registration

However this API will NOT describe any particulars about the user, not even the username. This is a pure metadata API, that can be used to shape the user experience from a UX perspective.


If the anonymous endpoint is configured with path /anonymous then the transaction metadata is found under /anonymous/transaction-metadata

Using the Metadata endpoint

The metadata endpoint is protected against CSRF attacks, and all calls must pass in the CSRF token in order to gain access. This CSRF token is available as a Template variable in all templates called _csrfToken.

There is also a helper JavaScript library that can call the endpoint and return the Json response, and helps with passing in the CSRF token. The JavaScript helper is located in the curity.js helper script and is called se.curity.utils.transmeta

There is also a helper template that can be included in a page to provide pre-configured access:

Example Script that polls the metadata endpoint every 2 seconds:


        <!-- some content -->

        <!-- Include the template -->
                var doCall = function(){
                                console.log("Failed", err)

                setTimeout(doCall, 2000);


Example setting the CSRF token in an AJAX request

    url: transactionMetaUrl,
    method: "GET",
    beforeSend: function (xhr) {
        xhr.setRequestHeader('X-CSRF-TOKEN', csrfToken);
}).done(function (json) {
}).fail(function (err) {
    //OH NO