# Session Authenticate

## Authenticate with public key

> Based on an authentication request token signed by the caller's RSA private key,\
> authenticate the API caller and return a session token.\
> \
> A HTTP 401 Unauthorized error is returned on errors during authentication (e.g. invalid user,\
> malformed authentication token, user's public key not imported in the pod, invalid token signature etc.).<br>

```json
{"openapi":"3.1.1","info":{"title":"Login API","version":"20.14.1"},"paths":{"/pubkey/authenticate":{"post":{"summary":"Authenticate with public key","description":"Based on an authentication request token signed by the caller's RSA private key,\nauthenticate the API caller and return a session token.\n\nA HTTP 401 Unauthorized error is returned on errors during authentication (e.g. invalid user,\nmalformed authentication token, user's public key not imported in the pod, invalid token signature etc.).\n","tags":["Authentication"],"responses":{"200":{"description":"OK.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Token"}}}},"401":{"description":"Client is unauthorized to access this resource","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"403":{"description":"Forbidden to access this endpoint .","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}},"500":{"description":"Server error, see response body for further details.","content":{"application/json":{"schema":{"$ref":"#/components/schemas/Error"}}}}},"requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AuthenticateRequest"}}},"required":true}}}},"components":{"schemas":{"Token":{"type":"object","properties":{"name":{"description":"The name of the header in which the token should be presented on subsequent API calls.\n","type":"string"},"token":{"type":"string","description":"Authentication token that should be passed as header in each API rest calls.\nThis should be considered opaque data by the client. It is not intended to contain any data interpretable by the\nclient. The format is secret and subject to change without notice.\n"},"authorizationToken":{"type":"string","description":"(Beta) Short lived access token built from a user session. This field is still on Beta, please continue using \nthe returned \"token\" instead.\n"}}},"Error":{"type":"object","properties":{"code":{"type":"integer","format":"int32"},"message":{"type":"string"}}},"AuthenticateRequest":{"type":"object","description":"Request body for pubkey authentication","properties":{"token":{"type":"string","description":"a JWT containing the caller's username or application appGroupId and an expiration date, signed by the caller's private key."}}}}}}
```

> #### ❗️ Session Token Management
>
> The token you receive is valid for the lifetime of a session that is defined by your pod's administration team. This ranges from 1 hour to 2 weeks.
>
> You should keep using the same token until you receive a HTTP 401, at which you should re-authenticate and get a new token for a new session.
>
> [Datafeeds](https://rest-api.symphony.com/main/datafeed) survive session expiration, you do not need to re-create your datafeed if your session expires.

> #### 🚧 Important
>
> * The following restrictions apply:
>   * The JWT must have an expiration date between the current time and five minutes from the current time.
>   * The JWT must be signed by a private key matching the public key saved for its subject ("sub").
> * For more information on creating and using an RSA session token, refer to [RSA Bot Authentication Workflow](https://docs.developers.symphony.com/building-bots-on-symphony/authentication/rsa-authentication).

*Note that the Session Authenticate endpoint may return an authorizationToken (short lived access token built from a user session) in addition to the session token. Please note this has been introduced as beta and should not be used until further notice; please continue using the returned "token" instead.*