Oomph authenticators use the concept of a receipt, which is simply an arbitrary string generated by your system. The receipt can contain any information you like, however your server must be able to uniquely identify a user from the receipt.
Your server must accept the receipt in your implementation of the verification API, use it to identify the user in question and return the authentication status of that user.
The receipt could be something as simple as the unique ID of a user from your database, or it could contain more information. How you generate the receipt is up to you, the only important things about the receipt are:
- The receipt must be a string and not binary data.
- Your server must be able to identify the user using only the receipt.
- Each unique set of user credentials must always generate the same unique receipt. You must not generate a new receipt each time the user logs in, you must pass back the existing receipt. Once generated, the receipt must unchanged for the life of the user account with which it is associated.