Skip to content

User Authentication

Jump to bottom
Luke edited this page Aug 31, 2020 · 10 revisions
Note The Emby API supports two different authentication schemes.

This page describes User Authentication. Please also see

API Key Authentication

Authorization Request Header

Add the following request header on every request:

Authorization=Emby UserId="e8837bc1-ad67-520e-8cd2-f629e3155721",

Client="Android", Device="Samsung Galaxy SIII", DeviceId="xxx", Version="1.0.0.0"

Parameter Value
UserId The Id of the current logged in user (if there is one)
Client The type of client (Android, Dashboard, Dlna, iOS, PC, WindowsPhone, WindowsRT, other)
Device The product name of the device
DeviceId The device's unique id
Version The client application version

The dashboard currently displays customized icons for the following clients: Android, Chromecast, Dashboard, Dlna, iOS, Emby Theater, Emby Classic, Roku, Windows Phone, Windows RT, Kodi (Formerly known as Xbmc)

User Login

Make a call to /Users/Public to get all public users.

Public users are users that the server admin has allowed to be displayed visually on the login screen. This can be managed by the server administrator by editing user permissions for each user.

If there are records returned, the app has the option of displaying the users in a visual login screen. This is up to the application developer to decide. If there are no records returned then present a username/password text entry form.

For each user, if PrimaryImageTag has a value, that indicates the user has an image. The image can then be downloaded using /Users/{Id}/Images/{Type}. See images.

Each user has a HasPassword property. This is used to determine if the user should be prompted to input a password. The application must authenticate regardless of this value.

Authenticating a user

Authenticate using /Users/AuthenticateByName. A 200 status code indicates success, while anything in the 400 or 500 range indicates failure.

The password must be sent in the body:

  • pw - password in plain text

  • The return result object will have an AccessToken property. This should be included in all subsequent Http requests using the header X-Emby-Token.

  • If the user explicitly logs out, send a POST to /Sessions/Logout. This will revoke your access token. If the user closes the app without logging out, you can skip this and save the token for future use.

  • During normal application usage, if any http requests fail with a 401 response status code, this is generally an indication that the access token has been revoked. The user should be redirected back to the login screen.

  • For applications that support connectivity to multiple servers, the token should be saved along with the server's Id in order to avoid sending the wrong token to a particular server. The server Id is part of the SystemInfo object which can be retrieved from /System/Info.

Parental Control

See Parental-Control

Emby Home   |   Latest News   |   Emby Downloads   |   Emby Community Forums   |   © 2019 Emby LLC

Menu

Authentication

API Workflow

Media Streaming

Server Plugin Development

Web Client Development

Clone this wiki locally