iOS Objective-C: User Sessions

View on Github

iOS Objective-C: User Sessions

Gravatar for
By Martin Walsh

This tutorial will show you how to handle user sessions and retrieve the user's profile. We recommend you to Log in to follow this quickstart with examples configured for your account.

System requirements: CocoaPods 1.2.1 | Version 8.3.2 (8E2002) | iPhone 7 - iOS 10.3 (14E269)

Before You Start

Before you continue with this tutorial, make sure that you are using the Swift wrapper and the Auth0 library to handle login. For more information, read the Login guide.

Add the SimpleKeychain Dependency

Integrate the SimpleKeychain library for managing user credentials.


If you are using Carthage, add the following to your Cartfile:

Then, run carthage bootstrap.

For more information on how to use Carthage, read their official documentation.


If you are using Cocoapods, add the following to your Podfile:

Then, run pod install.

For more information on how to use Cocoapods, read the Cocoapods documentation.

Save User Credentials When They Log in

When your users log in successfully, save their credentials. You can then log them in automatically when they open your application again.

Import the Swift wrapper and Auth0 library:

Then, present the hosted login screen:

You need a valid Access Token. You can find the token in the credentials object. To save the Access Token, use an A0SimpleKeychain instance. SimpleKeychain can be a key-value storage.

Check for an Access Token When the User Opens Your Application

When the user opens your application, check for an Access Token. If it exists, you can log the user in automatically and redirect them to the app's main flow without any additional login steps.

First, retrieve the Access Token value from the accessToken key in the keychain:

Validate the Access Token

Check if the user's Access Token is still valid. Use Auth0 to fetch the user's profile:

Deal with a Non-Valid Access Token

Decide how to deal with a non-valid Access Token. You can choose between two options:

  • Ask users to re-enter their credentials.
  • Use .renew(withRefreshToken: refreshToken) with a Refresh Token to obtain a new valid Access Token.

If you want to ask your users to re-enter their credentials, clear all the values stored in the keychain:

The rest of this tutorial shows you how to use a Refresh Token to obtain a new Access Token.

The Refresh Token is a token string stored in the Credentials object after a successful login. The Refresh Token doesn't expire.

Even though the Refresh Token cannot expire, it can be revoked. For more information, read the Refresh Token documentation before you proceed with this tutorial.

Store the Refresh Token

If you do not send offline_access as a scope during authentication, the Refresh Token will be nil.

To get a new Access Token, you need to first save the Refresh Token after the user logs in. Go to the section where you're saving the Access Token and update it as follows:

Use the Refresh Token to obtain a new Access Token

Now, you can use the saved Refresh Token to obtain a new Access Token:

Clear the Keychain When the User Logs Out

When you need to log the user out, remove their credentials from the keychain:

Optional: Encapsulate Session Handling

Handling user sessions is not a straightforward task. You can simplify it by storing token-related information and processes in a class. The class separates the logic for handling user sessions from the View Controller layer.

We recommend that you download the sample project from this tutorial and look at its implementation. Focus on the SessionManager class, which manages the session handling processes.

Get the User Profile

To get the user profile, you need a valid Access Token.

From the Auth0 module, call the userInfo method that allows you to get the user profile:

Show the User Profile Information

Default information

To show the information contained in the user profile, access its properties, for example:

Read the UserInfo class documentation to learn more about its properties.

Additional information

You can request more information than returned in the basic profile. To do this, add userMetadata to the profile.

Update the User Profile

You store additional user information in the user metadata. Perform a patch:

Retrieve User Metadata

The user_metadata dictionary contains fields related to the user profile. These fields can be added from client-side (for example, when the user edits their profile).

You can specify the fields you want to retrieve, or use an empty array [] to pull back the complete user profile.

Retrieve the user_metadata dictionary:

Access the user's metadata. You can choose the key names and types for the user_metadata dictionary.

Use Auth0 for FREE