We’ve migrated our documentation to a new site, which means some URLs have changed.
Subscriptions

Common Login or Logout Issues and How to Avoid Them

When implementing Identity Management, small misconfigurations can lead to persistent login/logout issues for end users. Below is a guide to the most common mistakes and how to resolve or prevent them.

LOGOUT ISSUES

Using the Wrong Logout Endpoint

Problem:
Some implementations use an outdated logout endpoint that requires an API token, instead of the recommended OAuth-based endpoint.

How to Avoid:
Use the OAuth-compatible logout endpoint:

https://sandbox.tinypass.com/id/api/v1/identity/logout?client_id=&token=>

This endpoint is triggered automatically by tp.pianoId.logout() in the JS SDK.

Outdated JS SDK

Problem:
Running multiple or outdated versions of the JS SDK can cause duplicate cookies and inconsistent token behavior.

How to Avoid:

  • Use the latest version of the Piano JS SDK.

  • If loading Piano on multiple domains/subdomains, make sure the PDL cookies and consents are configured correctly.

  • Always use tp.pianoId.logout() to handle logouts via SDK logic.

Problem:
Modern browsers (Safari’s ITP, Firefox’s ETP) aggressively block or expire third-party cookies, causing unexpected logouts.

How to Avoid:

  • Set cookies using server-side logic, not client-side JavaScript. For example as described here.

  • Configure cookies as first-party with proper attributes (SameSite, Secure, etc.).

  • Consider whitelabeling your domain to improve persistence.

Custom Endpoint Misconfigurations

Problem:
Improper endpoint setup (e.g., cookie path, domain mismatch) or incomplete social login configurations can break logout behavior.

How to Avoid:

  • Audit your endpoint configuration, particularly around cookie attributes.

  • Validate your social login setup to avoid issues with hidden emails.

Forced Re-Authentication on Every Visit

Problem:
If cookies aren’t persisting properly, users may be forced to log in again every time they return.

How to Avoid:

  • Make sure all cookies (like __pid, __tbc, etc.) are set as first-party cookies.

  • Use server-side endpoints to set these cookies securely. For example as described here.

LOGIN ISSUES

Token Refresh or Exchange Failures

Problem:
In OAuth flows, login may fail during the token exchange or refresh phase. This is often due to incorrect integration of /id/api/v1/identity/login/code.

How to Avoid:

  • Verify that you're following the correct OAuth flow.

  • Confirm that refresh tokens are being handled correctly.

  • Review our social login guide here.

  • Remember: Refresh tokens expire 30 days after the associated JWT expires.

Social Login Email Mismatches

Problem:
When a user logs in with a social account and the email doesn’t match their existing Identity Management (or is a hidden email from Apple or Google), additional confirmation may be required.

How to Avoid:

  • Handle cases where social login emails differ from stored Identity Management emails.

  • Use the “Don’t accept hidden email” setting if you prefer not to allow hidden emails.

JS SDK Login Misconfigurations

Problem:
Improper configuration of the JS SDK can interfere with login flows, especially token exchange and session detection.

How to Avoid:

  • Always use the latest JS SDK.

  • Properly configure the PDL cookies and consents.

  • Use SDK methods like tp.pianoId.loginByToken() instead of building custom logic.

Cookies Not Persisting on Login

Problem:
On privacy-focused browsers, login cookies may be blocked or cleared, breaking session persistence.

How to Avoid:

  • Set cookies server-side, not through JavaScript. For example as described here.

  • Issue cookies with attributes like Secure, HttpOnly, and appropriate SameSite settings.

  • Use domain whitelabeling when applicable.

"Remember Me" Not Working

Problem:
Even when users check “Remember Me”, they are asked to log in again. This is usually due to incorrectly set or short-lived cookies (__idr, etc.).

How to Avoid:

  • Review and correct your cookie and token configuration. Also take a look at the recommendations here.

  • Ensure cookies are issued server-side with extended expiration where appropriate.

Last updated: