User roles and authentication


We are creating a website that is going to create the user and after payment creating the licence for the user, this license is then used on a desktop application that is another application. We would need to authenticate the user to be able to create a license and retrieve user information on the webpage.

The website/app is going to be a React app and will be a Next JS setup where we are able to create own “backend” routes aka fetch endpoints that can run on v8 web engine (edge) or in Node. In the React app we can call or own endpoints or straight to the cryptlex endpoints.

The idea would now be to use a cookie for example to store the user accessToken after login. Then perform user specific queries with the accessToken for example retrieving the user info for the /profile page and creating license if payment to a payment provider is a success. I understand that the user accessToken will only be able to get data from the specific user in question and no other data from another user?

This again would mean the user role should be extended with these kind of permissions. We have a super admin but seems that we could not add user permissions to the user role even with the super admin. I am also an admin at our account and can’t extend the user that was created by default at the start of the account: “You don’t have the required permissions. Please contact your admin.” Why is this?

Could this work as a setup or how should we look at this kind of setup where the website uses your authentication and web/api?

Hi Patrick,

Yes, that is correct.

You need to create proxy endpoints in your backend which will use the personal access token to create the license using /v3/licenses. You can add restrictions in this endpoint to prevent user from accessing licenses etc.


Thanks for the reply.

Ok we could probably use personal access tokens via the “proxy” endpoints.

Just to confirm so I can have the mental model correct here:

  1. I did a login for a user via insomnia got the users accessToken
  2. Made a request on the user info with the retrieve user endpoint Cryptlex Web API and used the newly created accessToken via login, but got a error message saying {
    “message”: “Invalid access token or required permissions are missing!”

So instead of using the users own accessToken I need to use a Personal Access Token with proper permissions to authenticate and retrieve user, as this REST endpoint takes an accessToken also in the header. And this way not trying to extend users permissions but use a Personal Access Token speciefied for this request?

Hello @patrik

If you would like to get on a call with me to talk about your use case in detail, please book a slot at Calendly - Cryptlex, LLC.

From what I can understand, you will create a User in Cryptlex for every signup, and then your customer logs into a website/portal using v3/login wherein they can view their profile details using the v3/me endpoint.

Furthermore, that User, after successfully completing a payment on your payment provider from within your portal, should be able to view their license in the website/portal afterwards, which will have the following flow:

  1. Send webhook to your server (or serverless function) on payment success.
  2. On the server/serverless function, use a Personal Access Token to create a license, and link it to the User.
  3. On the web portal, use the v3/me/licenses endpoint with the logged-in User accessToken to view the linked license.

You could also use our Customer Portal for some of these use cases. I’ll be glad to give you a demonstration of how it works.

Let me know if this answers your questions


1 Like

Hi Patrick,

The access token you get from your customer login, gives you access to a few endpoints starting with /v3/me/… prefix.

For example /v3/me/licenses. Please refer to the following:

Ok guys thanks, that endpoints looks better for the usecase. Let me get back @azan, we might need that demo but mainly it might be a custom solution.

Looking forward to it


I am a colleague of Patrik and I would like some additional help with a problem I am stuck on.

My problem is that I can’t login via POST request to I have created a user via and I can see the user in the Dashboard. However, when I try to login the user with /accounts/login I get 400 with message “Authentication Failed. Please try again!”. Looking at the docs, there should be no bearer token for auth right? What I am missing?

It was probably a missing required field that was accountId. Maybe that is required field for v3/accounts/login ?

Yes, that is a required field - either provide accountId or accountAlias.