Skip to main content

Multistep Authentication

Multistep Authentication method is a nested or custom authentication. With multistep authentication, the user can provide two or more forms of authentication. A multistep authentication scheme considers using different resources of the same authentication factor to allow a user to access systems or information.

What you'll need

  • DronaHQ Mobile App must be above 8.3.0 and above version for using multi-step OAuth-type > Non-shared credentials connector.

Configuring REST API connector

To add third-party connectors, under DronaHQ > Connectors, click (+) Connector > Connector.

REST API connector
REST API connector

DronaHQ has different options including the use of the REST API and GraphQL that allows you to easily connect to the Third-Party API and database and access important systems. Both of them have a multistep authentication feature. We will be selecting the REST API for this example.

Configure API Category

When configuring the APIs you need to provide the Authentication details for the respective authentication method. Let us see how to configure an API using the multistep authentication method. Once you select the REST API, enter the Connector name which should ideally be self-explanatory.

In the Authentication section, select Multistep Authentication.

Select API Authentication
Select Multistep Authentication

Configure Cookies settings (optional)

In Multistep Authentication, there are two cookie settings available: Forward All Cookies throughout the process, and Follow double submit cookie pattern.

Forward All Cookies

Cookie forwarding is an essential feature in DronaHQ's backend functioning for cookie-based authentication. When a client makes an initial API request, the API responds with a cookie containing an authentication token or session ID, which is retrieved from the response header and stored. DronaHQ then automatically includes and forwards this cookie as a header in all subsequent requests made to that API or connector, ensuring a seamless authentication process.

Forward all cookies
Select Forward all cookies

The "Double Submit Cookie Pattern" is a highly secure option available when configuring Multistep Authentication in DronaHQ. Alongside the "Forward All Cookies" checkbox, you have the option to select this pattern. The concept is straightforward: a random value is generated and sent both as a cookie and as a parameter during API requests. The server ensures that both values match, providing an extra layer of security.

Here's how the process works in DronaHQ: When a session is created from an API request, the received cookie, derived from the session ID, is set in the user's browser. Simultaneously, another cookie containing the CSRF (Cross-Site Request Forgery) token is set. When the user submits a secure form, the token is extracted from the cookie and placed as a hidden input field in the HTML. During server-side processing, the received token in the form parameter is validated against the cookie value, granting authorization for the intended action to be completed. This ensures that the request is legitimate and not susceptible to CSRF attacks.

Follow double submit cookie pattern
Select Follow double submit cookie pattern

Provide the name of the incoming cookie as well as the name and location you want to pass your cookie. This name is usually application dependent.

Configure account-specific fields

Configuring account-specific fields for multistep authentication requires adding:

  • Configure Multistep variables.
  • Configure Auth Flow.
  • Configure Refresh Auth Flow.
  • Update variables.
  • Configure Request Parameter.
  • Sign-in Type.
  • Configure Test API.
  • Add Name for Test API.

Configure Multistep Variables

select Use multistep variables and click on + Add variable to create variable with static value and you can use that variable in Auth Flow and Refresh Auth Flow

Multistep Variables
Multistep Variables

Configure Auth Flow

click on + Add Step to add a Auth steps in auth flow, then you will get options to select from such as

Sample step form
Sample step (Form)
Leveraging Output Variables in Sequential Steps

In this process, each step generates an output variable that can be utilized in the subsequent steps. For example, you can access the value of {{form1.username}} to refer to the username captured in the first form.

After configuring the authentication steps, you can proceed by clicking on Test Auth flow to observe the output of the authentication process in action.

Auth step response
Auth step Response
Allow Clipboard to utilize copy/paste option
allow clipboard.
Allow clipboard
You can copy the step and click on Paste step; this will paste the configuration details copied in your clipboard and implement this as a step in multistep authentication steps as well as for refresh flow but the refresh flow will not accept anything other than API request, JS Code, OAuth v1.0a and SSO Token details.

Configure Refresh Auth Flow

You can configure a set of multiple steps that run automatically after a 401 response when requesting API. This is useful for refreshing a user’s authentication session without them needing to refresh the page.

Update Variables


This section becomes accessible only if the Same as Auth Flow option is not selected.

you need to update the variables from your refresh auth flow output to your actual auth flow output in order to use it in the next step of multistep authentication. Updating variables comes in use when we face an error and the Refresh Auth flow takes action. This creates a new auth token saved in different parameters, so in order to send the new token as a header to test our API endpoint, we need to set the variable’s value of Auth flow the same as of Refresh Auth flow.

To add an Update variable, simply click on + Add variable. On the left side, specify the Auth Flow output variable, and on the right side, provide the corresponding Refresh flow output variable within double curly brackets {{}}. You have the flexibility to update both single-level and nested-level variables.

Update Variables
Update Variables

Configure Request Parameter

This section is to save the authentication token which we get back from the server, as parameters. These parameters will be added into all the API endpoints for all your added Api’s automatically in respective locations (Querystring/header/body).

To add an Request parameter, simply click on + Add parameter.

Request Parameter
Request Parameter

Configure Sign-In Type (optional)

This allows to set the authentication type for the resource API. Sign-In Type supports

  • NTLM Authentication.
  • OAuth V1.0a.
Type NTLM Authentication
Type NTLM Authentication
Type OAuth V1.0a
Type OAuth V1.0a

Configure Test API

Add a simple API endpoint to test user credentials. DronaHQ includes data from your input form in the URL Params by default; click Advanced to customize the API call if your API expects them in the header instead.

Configure Test API for connector
Configure Test API for connector

After ensuring that all the essential configurations are in place, you can simply save your work once it has been successfully tested.

Exploring the Cache Method in Multistep Authentication

DronaHQ maintains two different types of cache data, one in the frontend/browser and one in the backend/ DronaHQ cloud. All the outputs from our auth flow steps – form, API request, OAuth V2, and others- are cached in the frontend securely whereas all the outputs from our auth flow with shared credentials – OAuth V2, OAuth V2 - Client Credentials, OAuth V2 - PKCE- are cached in the backend in this way tokens/outputs are never directly exposed to end user.

You can also clear cached data present in the front end from the Query of the configured connector by clicking on Clear cached auth. It is helpful to either rerun the auth flow or use different credentials other than stored previously

Clear cached auth
Clear cached auth

Managed Auth Screen

We have a toggle button of Show Managed Auth screen during app start under Settings > App Settings > Multistep Auth Connector.

Managed auth screen setting
Managed auth screen setting

By enabling this setting, you gain access to a unified screen that displays all multistep authentication types used in our app. This convenient feature allows you to authenticate all configured services within the app on a single page, streamlining the process and consolidating multistep authentication connectors across various controls.

Additionally, it displays all the Multi-Step Connectors utilized in your app to date. Consider deselecting any unused Multi-Step Connectors within the app.

Managed auth screen preview
Managed auth screen preview
Frequent Authentication Prompts and Potential API Crash

When the toggle is set to OFF, each action on the app screen will prompt for authentication. In situations where a single multistep authentication connector is used across different controls on the same screen, you'll need to authenticate repeatedly for each popup. Neglecting to do so can lead to potential crashes when fetching data from the API endpoint during the authentication process.

However, DronaHQ smartly utilizes previously entered credentials for different screens, provided the connector remains the same. This optimization ensures an enhanced user experience by reducing redundant authentication steps and avoiding unnecessary prompts during multistep authentication.

When a user needs to clear the cached authentication data or switch to different credentials for connector authentication, DronaHQ offers an on-screen action called Navigate to Authentication Screen. This action facilitates the clearing of cached tokens saved in the backend/frontend of the app after successfully authenticating the connector.

Navigate To Authentication screen (Action)
Navigate To Authentication screen (Action)

In the following screen of Configure Action's Fields, you will encounter a dropdown menu where you can choose between two options: Reload App after Authentication or Continue without Reloading.

When set to TRUE, after the user authenticates on the Managed Auth screen and clicks Continue, the app will be reloaded, starting from the beginning. However, if set to FALSE, after the user authenticates on the Managed Auth screen and clicks Continue, the app will resume from where the user left off, and all data will remain unchanged.

Configure Action fields
Configure Action fields
Action Preview
Action Preview

App Publish Screen

While publishing the app, you have the option to either select a used Multistep connector or deselect an unused Multistep connector from the Multistep connector's settings.

App Publish Screen
App Publish Screen

Multistep Auth steps

API Request

To configure the API request and obtain an authentication token from your server, simply provide the URL where you wish to make the request call. This URL will be the endpoint from which you expect to receive the authentication token in response.
API Request
API Request (Auth flow)

Upon configuring the API request, DronaHQ will automatically generate two default variables: body and headers. These variables are essential for passing relevant data to the server and managing the request's headers.

Ensure to fill in the required details correctly, allowing for a seamless authentication token retrieval process from your server.

API Request Response
API Request Response (Auth flow)

Callback Auth

A custom auth type which allows to extract data from query parameters after authorizing the user, which is usually a sign-in to the app's portal. Much similar to the authorization flow of user in OAuth v2.

  • Decode params - when it toggle ON it will decode the query params from the redirect url

    Callback auth
    Callback Auth
Dynamic Output variables

In this Callback Auth, the name of the output variable will change depending on the output received. Therefore, after configuring the callback auth step, it is essential to test the authentication flow by clicking Test Auth flow button to obtain the updated output variables before proceeding with the configuration of the remaining flow.


After selecting the form, you will be prompted to provide various details, including the form modal title and the addition of input keys. These input keys can be of different types, such as text, email, number, and password. The purpose of these input keys is to enable the end-user to provide the necessary information to successfully authenticate with the backend. DronaHQ will automatically generate output variables based on the input fields

You have the flexibility to include multiple input keys in the form, each serving a specific purpose:

  1. Text: Use this for text-only input in the form.

  2. Number: Utilize this for entering numeric values in the form.

  3. Email: Specify this input type to capture email addresses with the correct email ID format.

  4. Password: Save this input type for securely storing password-related information.

    By incorporating these input keys into the form, you can create a robust and user-friendly authentication process that caters to different data requirements.

    Step form

    After configure the form step, click on Test Auth flow it will popup the form modal where user can enter credentials

    Form preview
    Form preview
    Form response
    Form response

JS Code

You can leverage JavaScript's built-in methods to transform the output of the previous authentication step.

Click on + Add More to add the JSCode parameter. Give parameter name and select previous step's output or the multistep variable from the dropdown

Step JS Code
JS Code (Auth flow)

SSO Token

In addition to other methods of multistep authentication, you have the option to include the SSO token as an authentication method. The benefit of using the SSO token is that it requires no additional configuration. All you need to do is select a step with the SSO Token option enabled.

By selecting the SSO Token method, DronaHQ will automatically generate output variables based on the active SSO token in your current account. This streamlines the process and eliminates the need for manual setup.

For a more in-depth understanding of SSO tokens and their usage, you can find detailed information in the provided link. Embracing the SSO token method can simplify your multistep authentication flow while ensuring seamless and secure access to your account resources.

Step SSO Token
SSO Token (Auth flow)