Authentication
AnchorOverview
The Quiltt API uses Bearer Tokens for authentication. There are two types of tokens, depending on the scope of authorization required: App Secrets and User Session Tokens.
AnchorApp Secret
The App Secret is a persistent token used to administer your app and manage its data and user profiles. It should only be used for server-to-server communication and should never be exposed in client-side code.
Authorization: Bearer {{APP_SECRET}}AnchorUser Session Token
User Session Tokens are short-lived, user-specific tokens used to interact with a specific user’s data in GraphQL. They are valid for the duration of an active User Session, and, when properly handled, can be used client-side.
Authorization: Bearer {{USER_SESSION_TOKEN}}There are several ways to create a User Session, depending on your use-case. These approaches support authenticating existing users, as well as creating new users on the fly.
Server-Side Authentication allows your app to create a User Session on behalf of a user, authenticating via your App Secret.
Client-Side Authentication allows your end-user to create a User Session on their own behalf, authenticating via a one-time passcode sent to their phone or email.