Mituyu authentication is relatively simple - you can see it in the steps below. You'll need a secret key, which you can get using the console.

• 0

  set-up

  add Mituyu to your website

  As part of your authentication flow, you'll need to include the Mituyu JS file in your site. You do this with a script tag in your HTML's <head> section:

  <script type="text/javascript" src="https://staging.mituyu.com/embed.js"></script>

• 1

  your server

  create your user key

  First, you'll need to generate a unique key for your user, either numeric (which the API will automatically MD5 hash), or a 32 character hex string. You'll need to use this key to authenticate the user, so if it was randomly generated (as opposed to derived from their id in your database), you'll need to store it.

  If you're using either the node.js or .Net library, you can skip this step, and pass any unique string you like as a user key - the library will hash it for you.

  Here's an example key:

  refresh

• Great - you've decided how you're going to refer to your user - now it's time to onboard them!

• 2

  server-side API call

  on-board your user to Mituyu

  Before you can authenticate a user, you of course need to on-board them with Mituyu. You do this with the /api/onboard endpoint, though it must be called server-side, as it contains your API secret:

  • curl
  • node.js
  • .Net library

  try {
     const result = await auth.onboard("user key");
     console.log(result);
  } catch (err) {
     console.error(err);
  }

  curl https://mituyu.com/api/onboard/user key \
     --header "Authorization: your secret API key"

  make the call
• 3

  client-side JS

  challenge the user

  In your website JS, call the asynchronous mituyu function with your challenge id - it'll return a boolean to tell you whether the on-boarding was successful:

  await mituyu('the challenge id returned in step 2')

  run mituyu

  If you're curious, once you've on-boarded a user with their user key, go back to step 2 and try to make the on-boarding call again - it'll tell you that you're using a non-unique user key - ie Mituyu already has a record of that user for your instance.

• Fantastic - you've on-boarded a user with Mituyu - you only need to do that part once. Below is the process for, once they've logged in with you, checking they are who they say they are!

• 4

  server-side API call

  create an authentication challenge

  So - after someone has logged onto your site, in order to check them with this second factor, we need to create a challenge using that same user key that we on-boarded them with:

  curl https://mituyu.com/api/authenticate/user key \
     --header "Authorization: your secret API key"

  make the call
• 5

  client-side JS

  challenge the user

  Just as before, we take the challenge id and pass it to the mituyu function, which will return a boolean denoting their success:

  await mituyu('the challenge id returned in step 4')

  run mituyu
• 6

  server-side API call

  confirm that the challenge was met

  We can't trust anything the client-side tells us - the result could easily be spoofed. To that end, you actually check the results of the authentication from a server-side call. You don't need your API key for this part, though:

  curl https://mituyu.com/api/check/challenge id

  make the call

  As an aside, if you called this before the user had authenticated, the result would be false. You can check the onboarding challenge from step 3 too, but there isn't really much point.