Request Orchestration Tokens

Request orchestration tokens allow clients to delegate authentication to another first-party identity client of the same account.

This is done by serializing the request into an opaque token that is included as a query parameter in the login URL of your choice. Our web core/UI SDKs will then automatically detect the token and include it when authenticating end-users.

Orchestrated flows are supported from version 1.24.0 for the Core SDK and version 1.16.0 for the UI SDK.

orchestration token technical
  1. A client application performs an authentication request.

  2. The authorization server assesses the user’s SSO session.

    1. In the absence of an SSO session, users are redirected to the configured login page operated by another identity client.

    2. Following user authentication, the underlying request is resumed.

  3. An authorization code is issued for the client.

Steps 4-5 represent your typical session management in which the authorization code or refresh token are exchanged for a set of fresh tokens.


To enable the request orchestration for your client:

  1. Go to your desired first-party identity client in your ReachFive Console. Or create a new one.

  2. Scroll down to Login URL.

  3. Enter a Login URL.

  1. Enable the Attach orchestration token option. This token is detected by the web SDKs and is automatically included in authentication flows.

login url orchestration token enable


You have a centralized login web page that you wish to use for all of your applications (including native apps). Using the iOS or Android SDKs, you may authenticate end-users through that page by calling the:

If end-users already have a valid SSO session, they will be immediately redirected to your app with an authorization code.