ÃÛ¶¹ÊÓƵ

DocumentationÃÛ¶¹ÊÓƵ PassÃÛ¶¹ÊÓƵ Pass Authentication

Roku SSO Cookbook (REST API V2) roku-sso-cookbook-rest-api-v2

Last update: Fri Apr 04 2025 00:00:00 GMT+0000 (Coordinated Universal Time)
NOTE
The content on this page is provided for information purposes only. Usage of this API requires a current license from ÃÛ¶¹ÊÓƵ. No unauthorized use is permitted.

The ÃÛ¶¹ÊÓƵ Pass Authentication REST API V2 has support for Platform Single Sign-On (SSO) for end users of client applications running on RokuOS.

This document acts as an extension to the existing REST API V2 Overview that provides a high-level view and the document that describes how to implement Single sign-on using platform identity flows.

Roku single sign-on using platform identity flows cookbook

ÃÛ¶¹ÊÓƵ Pass Authentication collaborates with Roku to improve the login user experience and to facilitate Single Sign-On (SSO) across TV Everywhere applications for TV subscribers.

Prerequisites prerequisites

Before proceeding with the Roku single sign-on using platform identity flows, ensure that Roku SSO is enabled. Roku SSO is enabled by default unless the Programmer or MVPD request for SSO to be disabled.

Each Programmer can Enable or Disable the Single Sign-On (SSO) on the Roku platform for specific integrations through the .

Workflow workflow

Client-to-Server

For Programmer applications utilizing a Client-to-Server architecture to integrate REST API V2, Roku SSO functions seamlessly without any modifications.

RokuOS automatically appends two HTTP headers to all requests sent to ÃÛ¶¹ÊÓƵ Pass Authentication endpoints.

Server-to-Server

For Programmer applications utilizing a Server-to-Server architecture to integrate REST API V2, the Programmer must coordinate with the Roku team to configure these headers to be included in all API flows directed to their domain.

To enable cross-application and cross-device SSO, the Roku-provided subscriber ID should be used instead of the device ID when passed by the application.

For more details, refer to the following documentation:

For specific details about the format of the needed headers, please contact your ÃÛ¶¹ÊÓƵ representative.

FAQs faqs

  • How will the SSO work?

    SSO will work across all Programmer applications powered by ÃÛ¶¹ÊÓƵ Pass Authentication on all Roku devices associated with the same Roku user. Not all MVPDs will allow Roku SSO.

  • Will there be any change to the authentication TTLs?

    The first valid authentication token will be used for performing SSO and, in this case, all the other applications that will be authenticated through SSO will use the same TTL until it expires. So, when navigating from one application to another, the second application will share the TTL of the first application that authenticates.

  • Will other ÃÛ¶¹ÊÓƵ functionality work as before?

    All ÃÛ¶¹ÊÓƵ Pass Authentication functionality will work as before.

  • Is there a Programmer opt-in / opt-out process benefiting from SSO on the Roku platform?

    This will be a configuration change in ÃÛ¶¹ÊÓƵ’s TVE Dashboard. Each Programmer can Enable or Disable SSO on the Roku platform for specific integrations.

  • What are some common issues?

    Programmers should check that their current implementations based on ÃÛ¶¹ÊÓƵ’s REST API don’t impede Roku’s platform-SSO.

    See below a list of possible issues and how they should be solved.

Problem
Possible cause
Possible solutions
No Roku SSO header sent to ÃÛ¶¹ÊÓƵ
Using HTTP instead of HTTPS for calls to ÃÛ¶¹ÊÓƵ Pass Authentication domains
Use HTTPS
MVPD logo not shown / not updated for SSO tokens
UI relies on local storage
Applications should update UI (and local storage, if needed) after checking authentication
Logout triggered on no AuthZ
Application design
Application should be updated to never perform logout behind the scenes
recommendation-more-help
3f5e655c-af63-48cc-9769-2b6803cc5f4b