Skip to main content

Authentication


AnchorOverview

The Quiltt API uses Bearer Tokens for authentication. There are two types of tokens, depending on the scope of authorization required: Session Tokens and API Secrets.


AnchorThe API Secret

The API Secret is a persistent credential used to administer a deployment, and manage its data and user profiles.

It should only be used for server-to-server communication and should never be exposed in client-side code.

Authorization: Bearer {{API_SECRET}}

AnchorThe Session Token

A Session Token is a short-lived, user-specific token used to interact with a user’s data via GraphQL.

Session Tokens are valid for the duration of an active User Session, and, when properly handled, can be used in client-side code.

Authorization: Bearer {{SESSION_TOKEN}}

There are several flows to create a Session Token, depending on your use-case. These approaches support authenticating existing users, as well as creating new users on the fly:

AnchorServer-Side

The Server-Side flow allows your server to generate a Session Token on behalf of a user, authenticating via your API Secret.

AnchorPasswordless

The Passwordless flow allows your end-user to generate a Session Token on their own behalf, authenticating via a one-time passcode sent to their phone or email.

AnchorSelf-Signed

The Self-signed flow allows you to generate User Sessions using a signing secret, without having to call the Quiltt API. Contact support@quiltt.io to request your signing secret.