Skip to main content


These are regular users who interact with MARCO's platform, typically through a user interface. They can be developers, administrators, or any other individual accessing MARCO's services.


Do not confuse MARCO users with the wallets used to interact with a DLT. While some users can have wallets associated, it is not a requirement.

Authentication methods

MARCO offers multiple methods for user authentication.

Console authentication

User can access the MARCO's services by providing their username and password to gain access.

SSO authentication

SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties.

MARCO supports SAML-based single sign-on (SSO) authentication, allowing users to log in using their enterprise or third-party credentials.


If you would like to authenticate your users using your SAML IdP, contact us.

API authentication

The following diagram shows the authentication flow when using API authentication:

sequenceDiagram participant A as APP UI participant M as MARCO A->>M: Redirects to MARCO login page Note right of M: User logs in and grants or rejects permissions to the Marpp M-->>A: Redirects to application alt User granted permissions M-->>A : Returns ACCESS_TOKEN A->>M: Calls MARCO API with ACCESS_TOKEN end

Redirect to MARCO login page

When your application wants to authenticate a user with MARCO, you must redirect them to MARCO login so they can confirm the access requested by your application.

The URL to redirect the user must have the following format:<MARPP_ID>&scope=<SCOPE_REQUIRED_BY_YOUR_APP>&redirect=<YOUR_APP_LOGIN_URL>


Query ParameterDescription
clientIdMarpp identifier.
scopeApplication scope requested by your application.
redirectApplication URL to redirect users after they log in.

Redirect to application

When the user logs in, MARCO will redirect to your provided redirect URL with the following format:



Query ParameterDescription
actionThe status of the action. Available values are GRANTED or REJECTED.
accessTokenThe ACCESS_TOKEN to authenticate API requests after users log in. Only set if action is GRANTED.

For more information on using the ACCESS_TOKEN to make calls, refer to Access Token authentication.

Identity permissions

For more information on managing user permissions, refer to IAM privileges.

See also