end_sess_...) is issued automatically when a tap is verified. It records that a specific chip was physically tapped moments ago. It is not proof of ownership — it is proof of a recent tap.
What a session token represents
When your server verifies a tap withPOST /v1/chips/{chip_id}, the API:
- Validates the one-time credential (
evalue). - Records the tap against the chip’s scan count.
- Returns a
session_tokenobject bound to that chip, the unit it is paired to, and your organization.
How a session token is issued
CallPOST /v1/chips/{chip_id} with the e value from the tap. The response includes:
Default lifetime: 600 seconds. To request a different lifetime, pass
ttl (integer, 60–3600) in the verify request body. The response expires_at reflects the actual expiry.
The token is returned exactly once in the verify response. If you lose it, you must re-verify (perform another tap) to get a new token.
Security properties
- Opaque. The token carries no decodable payload. Its meaning is defined entirely by the introspection response.
- Single-issue. Returned once in the verify response. Not logged or retrievable after that.
- Short-lived. Expired tokens are rejected immediately. The default 600-second window is enough for a user interaction; request a shorter
ttlfor higher-sensitivity flows. - Client-safe. Unlike your API key, a session token is scoped to one chip and one unit. Passing it to a browser client exposes nothing beyond the current tap event.
Introspecting a session token
UseGET /v1/session-tokens/current to confirm what a session token is bound to. Authenticate the request with the session token itself — not your API key.
The 10-character hex identifier of the chip that was tapped.
The UUID of the unit the chip is paired to.
The UUID of your organization. Confirms the token belongs to your account.
ISO-8601 timestamp after which the token is no longer valid.
Calling the API directly from a browser requires your web origin to be on
your organization’s CORS allowlist — requests from unlisted origins are
blocked by the browser before they reach the endpoint. Ask Endstate to
allowlist your origins during onboarding. Server-side calls are unaffected.
Use cases
Session tokens are most useful when you need to prove that a user physically tapped a product before allowing a unit-scoped action:- Gating digital content or experiences. After verification, pass the session token to your own backend or a client to unlock content tied to that unit.
- Logging user interactions. Your server receives the tap event from the verify response; the session token lets a client confirm the same tap without a second server call.
- Handoff to a client flow. Verify server-side, then pass
end_sess_...to the client. The client can introspect to display unit details without access to your API key.
A chip-tap session token authorizes the unit’s ownership actions: claiming
it — handing it to its first owner — via the Claims API,
and transferring it between owners via the Transfers
API.
Errors
Branch on
error.code, not on HTTP status or message. See Error conventions for the full error envelope and handling guidance.
Endpoints
Full request and response schemas are in the API reference.
Next steps
Chips & verification
Learn how chips are paired to units and how taps produce the one-time
credential used in verification.
Verify a unit
Step-by-step guide to running a complete verification flow and handling the
session token.

