---
descriptions:
  authentication:
    grant_type: >-
      A string constant that distinguishes the method by which your application
      will receive an access token.
    ip_address: >
      The IP address of the request from the user who is attempting to
      authenticate.


      Refer to your web framework or server documentation for the correct way to
      obtain the user’s actual IP

      address. If your application receives requests from a reverse proxy, you
      may need to retrieve this from

      a special header like `X-Forward-For`.
    user_agent: >
      The user agent of the request from the user who is attempting to
      authenticate. This should be the value

      of the `User-Agent` header.
    invitation_token: >
      The token of an [invitation](/reference/authkit/invitation). The
      invitation should be in the pending state.


      When a valid invitation token is specified, the user is able to sign up
      even if it is disabled in the environment. Additionally, if the invitation
      was for a specific organization, attaching the token to a user's
      authenticate call automatically provisions their membership to the
      organization.
    organization_id: >
      The ID of the [organization](/reference/organization) the user selected to
      sign in to.


      If the user is a member of multiple organizations, this is the ID of the
      organization the user
      [selected](/reference/authkit/authentication/organization-selection) as
      part of the authentication flow. If the user is a member of only one
      organization, this is the ID of that organization. If the user is not a
      member of any organizations, this is omitted from the response.
    pending_authentication_token: >-
      The authentication token returned from a failed authentication attempt due
      to the corresponding error.
    authentication_method: The authentication method used to initiate the session.
    access_token: |
      A JWT containing information about the current session.
    seal_session: Whether or not to include the sealed session data in the return value.
    cookie_password_seal: >-
      Password used to the seal the session cookie. Can alternatively be
      specified as the `WORKOS_COOKIE_PASSWORD` environment variable.
    sealed_session: >-
      The sealed session data to be set as a cookie in the user's browser. Only
      returned if the seal session parameter was true.
  refresh_token_authentication:
    organization_id: >
      The ID of the [organization](/reference/organization) the user is signed
      in to.


      If the request specified a valid `organization_id`, this is that value.
      Otherwise, this is the ID for the organization the session most recently
      used. If the session never used an organization, it is omitted from the
      response.
originalPath: >-
  .tmp-workos-clone/packages/docs/content/reference/authkit/authentication/index.mdx
---

# Authentication

Authenticate a user with a specified authentication method.