API Viewers need to reauthenticate if their login credentials change

Action Required
July 9, 2024, 3:54 p.m.

If an API Viewer changes either their email address or their password, Kraken will now:

  • register a logout event for that API Viewer
  • invalidate any outstanding refresh tokens

Previously, an existing refresh token could have been used. Now, there is no valid refresh token. This means that an API Viewer must reauthenticate when their email or password changes. This may require front end changes. Check with your consumer site or mobile app lead to confirm.

Examplary frontend changes for Blueprint

These are the steps Blueprint (our example project) now takes when this happens:

  1. show a message to indicate to the user that they'll have to log in again when they make a change to email or password
    (see our examples on the personal details page - try typing a change to the email address to see the message appear)
  2. make a request that triggers a check of the existing token (once the email or password has been changed)
  3. check for the resulting error
  4. remove existing session cookies
  5. redirect to login and recover