Login Web Service

Login is used to establish a user session to determine authorizations and link subsequent requests. The response provides a user session key required by other web services.

Three types of authentication are supported: Password, Token and OAuth2.

Password authentication is useful when the user, website or application requires a user to login with a valid COMAND repository username and password. The web services will then gain the same authorizations that the user has when accessing the repository. If a COMAND user login and authorizations are not appropriate, password authentication can still be used, but should be performed on the server side to prevent the username and password from being exposed. Instead, only the session key will be exposed.

Token authentication is often more secure than password authentication because tokens are typically a longer more random string of characters than a username and password. It also enables multiple tokens per user account that can be independently managed and expired, all without exposing the associated username and password.

OAuth2 is useful when the website or application does not require a COMAND user login for it's users, but instead uses the website, application or a third-party service (ie. Facebook, Twitter or Google) to authenticate on behalf of a user. This is known as "delegated access", and uses OAuth 2.0.

OAuth login requests should happen server-side because the client ID and secret should be kept private and never revealed to the client or end-user.
OAuth documentation needs to be filled out once implemented. Also consider SASL.


  • authentication: 'password' | 'token' | 'oauth' – Specifies the type of authentication to use. Each type requires additional parameters.
    • 'password' authentication requires:
      • username: '<username>' – Specifies the username as a plain-text string.
      • password: '<password>' – Specifies the password as a plain-text string. The request should be made over HTTPS (SSL) for network security.
    • 'token' authentication requires:
      • token: '<token>' – Specifies the User Token as a plain-text string.
    • 'oauth2' authentication requires:
      • clientID: '<ID>' – Specifies the application ID as a string (like an application username).
      • clientSecret: '<secret>' – Specifies the application secret as a string (like an application password).
  • type: 'key' | 'cookie' – Optionally specify whether or not the server should send back a cookie to maintain the user session. If a cookie is used, the browser will not need to include the session key in subsequent service requests, as long as the browser sends the cookie along with each AJAX request. A unique session key is always included in the response, even if the type is 'cookie'.


Login only returns the Common Response Properties.


	url: 'https://<account>.webcomand.com/ws/login',
	data: {
		authentication: 'password',
		username: 'name',
		password: 'secret'
	success: function( data ) {