Advisory: We only operate services from the RANDOM.ORG domain. Other sites that claim to be operated by us are impostors. If in doubt, contact us.

Authentication API (Release 4)


For many API methods, your client may need to present credentials that allows RANDOM.ORG to authenticate it, i.e., confirm its identity. The current API release does not contain any methods to manage authentication directly. For this reason, the spec consists only of a description of credentials objects, which are passed as parameters to other API methods. These methods in turn perform authentication based on the supplied credentials.


There are no specific methods associated with authentication, hence no URL.

credentials (object)

When a client wants to be authenticated by RANDOM.ORG, it must present a credentials object. This object can take two different forms.

Form 1: Login/Password Authentication

The client can allow authentication by supplying a simple login (username) and password combination. In this case, the credentials object must contain the following properties:

A string containing the login (username) associated with the client's RANDOM.ORG account.
A string containing the password associated with the client's RANDOM.ORG account.

An example credentials object can look as follows:

    "login": "myLogin",
    "password": "secret"

Form 2: Session Authentication

If the client has recently authenticated itself to RANDOM.ORG, it may have an active session open. In this case, it can supply a credentials object containing the following:

The identifier of a session that has already been authenticated.

An example credentials object can look as follows:

    "sessionId": "f3a0jvkn7n6mkbm7qpm7kn8sb1"

Session-based credentials are intended for use in AJAX-based clients that run in web browsers. The session identifier can be obtained from the RDOSESSION cookie set by RANDOM.ORG when a user successfully logs in via their web browser. (Possibly helpful link: Shortest function for reading a cookie in JavaScript.)