Chat with us on Discord: Discord
📍 Bolt Help / Developer Resources / Bolt SDKs / Android / Kotlin SDK / SSO Login
SSO Login
Authenticate users with their Bolt account via OAuth 2.0 and PKCE using the Bolt Android SDK.

Page Contents

Click to expand.

Overview

The Bolt Android SDK provides a built-in SSO flow that lets users log in with their Bolt account using OAuth 2.0, and optionally PKCE. After login, you receive an authorization code and state that your backend exchanges for an access token.

NOTE

If you don’t have a backend application and need to exchange the authorization code directly from your mobile app, enable PKCE mode and send the authorization code, state, and code verifier to the Bolt token exchange endpoint.

Starting the Login Flow

Register a launcher and implement BoltLoginDelegate:

import android.os.Bundle
import android.view.View
import androidx.fragment.app.Fragment
import androidx.activity.result.ActivityResultLauncher
import android.content.Intent
import com.bolt.checkout.BoltCheckout
import com.bolt.checkout.intl.BoltLoginDelegate

class MyFragment : Fragment(), BoltLoginDelegate {

    private lateinit var loginLauncher: ActivityResultLauncher<Intent>

    override fun onViewCreated(view: View, savedInstanceState: Bundle?) {
        super.onViewCreated(view, savedInstanceState)

        // Register the result launcher (must be called before the STARTED state)
        loginLauncher = BoltCheckout.get().getLoginActivityResultLauncher(
            fragment = this,
            boltLoginDelegate = this,
        )
    }

    // Call this from a button tap or equivalent UI action
    fun onLoginButtonClicked() {
        BoltCheckout.get().startLogin(
            context = requireContext(),
            loginActivityResultLauncher = loginLauncher,
            BoltLoginConfig()
        )
    }

    // --- BoltLoginDelegate callbacks ---

    override fun onLoginSuccess(authCode: String, codeVerifier: String, state: String) {
        // Send authCode and state to your backend for token exchange
        myBackendApi.exchangeBoltToken(authCode, state)
    }

    override fun onLoginError(errorReason: String) {
        // Login failed (e.g. network error, user denied permissions)
    }

    override fun onLoginCancel() {
        // User dismissed the login screen without completing
    }
}

Launching from an Activity

If you are launching from an Activity instead of a Fragment:

val loginLauncher = BoltCheckout.get().getLoginActivityResultLauncher(
    activity = this, // ComponentActivity
    boltLoginDelegate = this,
)

How It Works

  1. startLogin() opens a WebView with the Bolt-hosted login page. Your app does not pass an email — the user enters it directly on the page.
  2. (PKCE flow only) The SDK generates a PKCE code verifier and code challenge automatically.
  3. The user enters their Bolt account email. Bolt sends a one-time passcode (OTP) via email or SMS — the user picks their preferred delivery method and enters the code.
  4. On success, the hosted page redirects to boltoauth://redirect with an authorization code.
  5. The SDK intercepts this redirect inside the WebView — no AndroidManifest.xml changes or intent filters are required.
  6. onLoginSuccess(authCode, codeVerifier, state) is called.

Backend Token Exchange

When onLoginSuccess fires, send authCode to your backend immediately. Your backend exchanges it for an access token:

Environment Token Endpoint
Sandbox https://api-sandbox.bolt.com/v1/oauth/token
Production https://api.bolt.com/v1/oauth/token 
POST https://api.bolt.com/v1/oauth/token
Content-Type: application/x-www-form-urlencoded

client_id=<your-publishable-key>
&code=<authCode from onLoginSuccess>
&grant_type=authorization_code
&scope=openid bolt.account.manage
&state=<state from onLoginSuccess>

WARNING

Do not write authCode to persistent storage (SharedPreferences, database, or disk). Forward it to your backend directly from onLoginSuccess and let it go out of scope.

Logout

To log the user out of their Bolt session:

BoltCheckout.get().logout()

This clears the WebView cookies used by the Bolt login page.

SFCC Integration

Some merchants use Salesforce Commerce Cloud (SFCC) as their e-commerce platform and have configured Bolt as an OAuth identity provider within SFCC. In this setup, the token exchange does not go directly to Bolt’s /v1/oauth/token endpoint. Instead, the Bolt authorization code and state are forwarded to SFCC, which handles the token exchange server-to-server on your behalf.

NOTE

In the SFCC flow, you should not use PKCE as the token exchange is made from your backend.

Key Differences from Standard SSO

Standard Bolt SSO SFCC Integration
Token exchange endpoint POST /v1/oauth/token (Bolt) Login-OAuthMobileBoltLogin-ExchangeSFCCToken (SFCC)
codeVerifier usage Required only for PKCE flow Not used — discard after onLoginSuccess
Who calls Bolt’s token API Your backend SFCC (server-to-server)
Resulting token Bolt access token SFCC JWT bearer token

SFCC Endpoint Reference

Step Method URL
Authorize GET https://api-sandbox.bolt.com/v1/oauth/internal/authorize
SFCC code exchange GET https://<sfcc-host>/.../Login-OAuthMobileBolt
SFCC token exchange POST https://<sfcc-host>/.../Login-ExchangeSFCCToken
sdk android kotlin sso login oauth

Checkout Flow
Custom Checkout