Last updated: Feb 5, 2020
It is very important to fully understand how Meveto works and implement all our recommended steps in your Meveto integration. Meveto will not be able to help your application secure its users if your integration is incorrect or if it ignores vital recommendations. Take an example of a fortress. If one of the fortress's walls are weak, then it does not matter how thick, strong and high the front door is. Similarly, your application is only as secure as the weakest surface of attack it has exposed.
Identify users by Meveto ID
Your application must always identify users by Meveto ID when managing authentication and authorization. Meveto will return a unique ID to your application when a user successfully completes authentication. Meveto user IDs are unique and always remain constant so your application can rely on it to identify users. A Meveto user ID is of the type string that's usually made of digits between 1 and 9. Usually, a Meveto user ID looks like
Make sure Meveto can log a user out
Meveto allows its users to log out from applications from their dashboard. When a user requests log out from your application, Meveto will inform your application about the log out request through a webhook call. You must ensure that your application can properly receive and process log out requests from Meveto. Read here for details on how to process log out webhook calls
Disable other login methods
You must ensure to disable any other login methods, especially passwords for those users that have started using Meveto with your application. If your application already has many users and you integrate Meveto, of course you can not disable your old login methods for all users since all of them might not be using Meveto yet. But you can very easily implement a logic that can identify those users that have started using Meveto with your application and therefore disable all other login methods to ensure their accounts can only and only be accessed through Meveto.
Allow users to synchronize with Meveto
When Meveto returns a user ID after successful authentication but your application can not map it to a user (this will always be the case when a user tries to log in to your application using Meveto for the very first time), then you should allow the user to synchronize their account at your application to that Meveto ID. For this, your application should store the Meveto ID, allow the user to login to an existing account or create a new account and then you can assign the Meveto ID to that user. The next time, whenever Meveto returns that user ID to your application, it will be able to map it to a user and you can process their login directly.
Always use state parameter
Your application must always use state parameter in OAuth communication with Meveto. Learn more about the state parameter and how to use it.