Document Tree
Document Properties
Last Modified
Added to KB
Public Access
Doc Type
Intershop Progressive Web App
Guide - Intershop Progressive Web App - Authentication by the ICM Server

This document describes the main authentication mechanism if the ICM server is used as identity provider.
If you need an introduction to this topic, read the Authentication Concept first.


If the user wants to login by clicking a login link or navigating to the /login route, either a popup or a page is displayed containing a login form.
After the user has entered the credentials (e-mail/user name and password) and could be verified successfully by the ICM server, a new token is fetched from the ICM /token REST endpoint.
The token of the registered user is saved as apiToken cookie and attached to the request header of the subsequent REST requests.
After logging in, the pgid of the user is requested from the ICM server (/personalization REST call) and the action personalizationStatusDetermined will be triggered.
If you want to request user-specific non-cached data from the ICM server, use the option sendPGID or sendSPGID, respectively when you call the get method of the ApiTokenService.


The registration of a user is similar to the login.
After the user has completed the registration form, the data are validated by the ICM server and a new user will be created.
Afterwards, the authentication token is requested from the server and the user will be logged in, see above.

Token Lifetime

Each authentication token has a predefined lifetime.
That means, the token has to be refreshed to prevent it from expiring.
Once 75% of the token's lifetime have passed (this time can be configured in the oAuth library), an info event is emitted.
This event is used to call the refresh mechanism setupRefreshTokenMechanism$ of the oAuth configuration service and the authentication token will be renewed.
Hence, the token will not expire as long as the user keeps the PWA open in the browser.


When the user logs out by clicking the logout link or navigating to the /logout route, the configured logout() function will be executed, which will call the revokeApiToken() user service in order to deactivate the token on server side.
Besides this, the PWA removes the token on browser side, fetches a new anonymous user token, and sets it as apiToken cookie.

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.
The Intershop Knowledge Portal uses only technically necessary cookies. We do not track visitors or have visitors tracked by 3rd parties. Please find further information on privacy in the Intershop Privacy Policy and Legal Notice.
Knowledge Base
Product Releases
Log on to continue
This Knowledge Base document is reserved for registered customers.
Log on with your Intershop Entra ID to continue.
Write an email to if you experience login issues,
or if you want to register as customer.