Note: Technical docs in poq docs may not remain accurate; this will be accurate within the SDK

The PoqSDK uses the Authenticator to authenticate requests and handle auth errors returned from the backend. The Account SDK injects the PoqAccountAuthenticator with the following flow.



The iOS app makes no upfront attempts to authorise the user. User authorization only happens as a result of a 401 response or user action.

The /account/login and /account/register endpoints return new tokens to authenticate and log in users.

If any endpoint returns a 401 the user's token is refreshed using either the /account/refresh-token or /account/guest-token endpoint. If the refresh fails the user is silently logged out.

When a user takes action to log out the app calls the /account/logout endpoint, clears the user, and generates a new PoqUserId. The user is logged out regardless of the logout response.


Guest users are authenticated using the /account/guest-token endpoint. If the backend returns a 401 and the user has no token, a token is retrieved from the this endpoint.


Apps that update to the Account SDK from the legacy authentication flow can migrate their existing logged in users using the /account/migrate endpoint. This endpoint is a placeholder for a bespoke implementation that must be created on your clients backend.

When the backend returns a 401 existing credential users use this endpoint to migrate. If this endpoint is not implemented or fails the user is silently logged out.