# User Session

When a user authenticates, Openfort issues a signed **access token** and exposes the **user profile**. The token is signed by Openfort and cannot be spoofed, so your backend can trust it: send it as a bearer token and verify it server-side to authorize requests on the user's behalf.

Two methods cover most needs:

* `getAccessToken()` — the current JWT, for authorizing your API calls.
* `getUser()` — the user's profile, including linked auth providers.

Both are `async throws`.

## Get the access token

```swift
import OpenfortSwift

func authorizedRequest() async throws -> URLRequest {
    let token = try await OFSDK.shared.getAccessToken()

    var request = URLRequest(url: URL(string: "https://your-backend.com/api/me")!)
    request.setValue("Bearer \(token ?? "")", forHTTPHeaderField: "Authorization")
    return request
}
```

#### Returns

```swift
OFGetAccessTokenResponse? // typealias for String?
```

:::tip
Call `getAccessToken()` right before each request rather than caching it — the SDK returns a current, valid token (refreshing if needed), which avoids sending an expired one.
:::

## Get the current user

```swift
let user = try await OFSDK.shared.getUser()
print(user?.email ?? "no email")
print(user?.linkedAccounts ?? []) // which providers are connected
```

#### Returns

```swift
public struct OFUser: OFCodableSendable {
    public let id: String
    public let email: String?
    public let name: String?
    public let image: String?
    public let emailVerified: Bool?
    public let isAnonymous: Bool?         // true for guest accounts
    public let createdAt: FlexTimestamp?
    public let updatedAt: FlexTimestamp?
    public let phoneNumber: String?
    public let phoneNumberVerified: Bool?
    public let linkedAccounts: [OFUserAccount]?
}

public struct OFUserAccount: OFCodableSendable {
    public let provider: String?          // e.g. "google", "apple", "wallet"
    public let email: String?
    public let externalUserId: String?
    public let connectorType: String?
    public let walletClientType: String?
    public let disabled: Bool?
    public let verified: Bool?
    public let updatedAt: FlexTimestamp?
    public let address: String?           // wallet address, for wallet-linked accounts
}
```

:::note
`FlexTimestamp` decodes both numeric and string timestamps from the API. `isAnonymous == true` indicates a [guest account](/docs/products/embedded-wallet/swift/auth/guest) that hasn't been upgraded yet.
:::

## Drive your UI from session state

For SwiftUI, gate your views on whether a user exists. Combine this with the [embedded wallet state](/docs/products/embedded-wallet/swift/wallet/state) to know whether the wallet is also ready:

```swift
@MainActor
final class SessionModel: ObservableObject {
    @Published var user: OFUser?

    func refresh() async {
        user = try? await OFSDK.shared.getUser()
    }
}
```

## Related

* [Log the user out](/docs/products/embedded-wallet/swift/auth/logout)
* [Embedded wallet state](/docs/products/embedded-wallet/swift/wallet/state)