createToken — Retrieving the token for single sign-on authentication

SiteLock enables secure single sign-on (SSO) authentication via a one-time redirect authorization code that allows a user to be authenticated into the SiteLock Dashboard for a session. Retrieving the authentication redirect URL for the end user’s account by making a request to the createToken endpoint.

This API call is typically made by a partner’s backend service when the user initiates an SSO action from the partner’s site. The redirect URL returned allows the user to be redirected to the SiteLock Dashboard.

The redirect link returned by this API is single-use and valid for 5 minutes. Generate it only on demand; do not pre-generate or store it.

The read-only API endpoint is:

https://api.sitelock.com/v1/partner/createToken

The /v1/partner and /v1/partner/createToken endpoints are alias.

Authentication

Partner API requests are authenticated using OAuth 2.0.

The OAuth access token must be included in the request headers.

Example:

Authorization: Bearer {access_token}

Request format

  • SiteLockOnlineRequest: This element is used to delineate the full API request.

    • authentication: The partner’s username, password, and branding.

      • username: The partner’s API username

      • password: The partner’s API password

    • createToken: The method name

      • account_id: The account ID to be authenticated.

The createToken endpoint requires authentication. You can authenticate using an OAuth access token (see OAuth 2.0 Client Credentials flow) or by providing the legacy authentication element in the request payload. OAuth is recommended for new development, as legacy authentication is planned for deprecation in a future release.

Example request

OAuth 2.0 method

<SiteLockOnlineRequest>
    <createToken>
        <account_id>570</account_id>
    </createToken>
</SiteLockOnlineRequest>

Legacy authentication method

<SiteLockOnlineRequest>
    <authentication>
        <user>Username</user>
        <password>Password</password>
    </authentication>
    <createToken>
        <account_id>570</account_id>
    </createToken>
</SiteLockOnlineRequest>

Response format

  • SiteLockOnlineResponse: This element is used to delineate the full API response.

    • loginURL: The one-time redirect URL used to initiate authentication in the SiteLock Dashboard.

The response includes the following authentication elements:

  • code: A 32-character hexadecimal string that serves as a one-time authorization code.

  • code_verifier: A 64-character hexadecimal string used to verify the authorization code.

Example success response

<SiteLockOnlineResponse>
    <loginURL>https://secure.sitelock.com/rlogin.php?code=2e7182c7a4f8b9d3e6a1c4e8b7f2d9a3;code_verifier=e81c4d7a2b9e3c6f8a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4</loginURL>
</SiteLockOnlineResponse>

Example error response

<SiteLockOnlineResponse>
    <createToken>
        <error>account_id not found</error>
    </createToken>
</SiteLockOnlineResponse>

Using the authorization code

The value returned in loginURL is a one-time-use redirect link that is valid for 5 minutes.

Requirements for using the link:

  • The link must be used within 5 minutes.

  • The link must not be cached or stored.

  • The link can only be used once.

Example redirect:

https://secure.sitelock.com/rlogin.php?code=abcdef123456

When the user is redirected to this URL:

  • The SiteLock Dashboard validates the authorization code.

  • The code is exchanged internally for an access token.

  • A Dashboard session is created for the specified account.

The authorization code is not an access token and cannot be reused or used outside of this flow.

Redirecting to a specific site

To display data for a specific SiteLock site ID, include &site_id=xxxxx in the URL:

https://secure.sitelock.com/rlogin.php?code=1234&site_id=5678

If the site ID is invalid or missing, the first site in the account’s list will be displayed by default.

Redirecting to a specific page

To take the user directly to a specific Dashboard page, include both site_id and page parameters:

https://secure.sitelock.com/rlogin.php?code=abcdef1234567890abcdef1234567890&code_verifier=abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890&site_id=5678&page=ssl_monitor

Supported page parameters

The following page values can be used to navigate the user to specific sections of the SiteLock Dashboard:

  • wizard

  • firewall_cdn

  • smart_file

  • smart_database

  • smart_patch

  • backup

  • vulnerability_scan

  • xss

  • sql_injection

  • platform_scan

  • webpage_scan

  • ssl_monitor

  • email_reputation

  • riskscore

  • pci

If no page parameter is provided, the user will be taken to the default SiteLock Dashboard.

The verify_domain_email parameter will currently redirect users to the same location as wizard until its dedicated page is live.

Example full redirect URL

A complete example where the user is redirected to the SSL Monitor page for site ID 5678:

https://secure.sitelock.com/rlogin.php?code=abcdef123456&site_id=5678&page=ssl_monitor