Accessing the LoginRocket API

This document covers how to make requests with the LoginRocket API (via * To access the AuthRocket APIs, see Accessing the AuthRocket APIs.

Enabling the LoginRocket API

The LoginRocket API uses the same initial setup as LoginRocket Web.

LoginRocket requires a configured Domain (see Realm -> Settings -> Domains) and an active Connected App (Settings -> Connected Apps).

For most uses, you’ll also need to configure one or more CORS origins (Settings -> CORS Origins).

API Endpoint

The LoginRocket API is https only. TLS 1.2+ is required.

The endpoint to use is based on your LoginRocket URL. In the AuthRocket portal, go to Realm -> Integration -> Using LoginRocket and look for the LoginRocket URL.

The LR API is always accessed using the /v2/ path. For example:

You may also use any configured custom domain. That might look like

Making Requests

CORS is supported and all modern browsers will require it. Add your app’s domains at Settings -> CORS Origins. Paths are not required, but non-default port numbers are. Examples: or http://localhost:4000 (during development).

Calls to the LoginRocket API are tightly rate limited to prevent abuse.

Request Headers


The API only sends JSON responses. All API requests must indicate that they are requesting JSON payloads:

Accept: application/json


The LoginRocket API’s error messages may be localized. See localization for more details and supported locales.

Accept-Language: en


Because these are user-facing APIs, no API-level authentication is required. APIs calls are associated with the proper realm based on the endpoint’s domain.

Some APIs require an AuthRocket session ID. However, this is always provided as part of the query, not as a request header.

Content type

Payloads sent to the API via POST requests may be sent as JSON or as standard url-encoded form data.

Content-type: application/json
Content-type: application/x-www-form-urlencoded

User agent

Login sessions record the user’s client, when available. Browsers generally set this by default. If you’d like to override it, or are using the API from another platform, send a meaningful User-Agent header.

User-agent: <Browser, library, or app information>

If you’re writing an LoginRocket library for use by 3rd-parties, please contact us for further guidance on how to best capture user client information alongside library-specific information (so we can reach out in the event we see something that needs to be addressed).

Response Headers

Content type

Responses from the API will indicate the delivery of a JSON payload:

Content-type: application/json

Request ID

All API responses will include X-Request-ID, which is unique to each request. If you have a question about a specific API call, sending the request ID will make it much easier for us to help you debug the issue.

X-Request-ID: rq_0vdbINw16QhITBp4iBhgX4


API responses all deliver an appropriate HTTP Status: header. The numeric portion of this status code should be checked before attempting to parse the body response. See Status codes for more details.