Skip to main content

How to Implement Passwordless Auth

Quiltt’s passwordless authentication system combines the Sign up and Sign In user actions into one flow, using one-time passcodes (OTP) to reduce onboarding friction and remove the need to store or exchange passwords.

To get started, you will need to have a Quiltt App configured with your desired authentication strategy. Currently, we support email-based and SMS-based authentication strategies. The strategy will determine what will serve as the user’s username (email|phone).


AnchorHow it works

  1. Your App sends the user’s username (email|phone) to Quiltt’s authentication endpoint.
  2. If no user is found with the given username (email|phone), the request will create a new user, and return a Session Token for that user, completing the flow.
  3. If an existing user is found with the given username (email|phone), the request will issue a one-time passcode to the user (via email or SMS). Your application can then supply this passcode, along with the user’s username (email|phone), and Quiltt will return a Session Token for the user.

The Session Token will be returned in the Authorization header as a Bearer token. You can authenticate with our GraphQL endpoint by providing this Session Token in the Authorization header.


AnchorImplementing SMS-based Authentication

AnchorAuthenticating a new user

You can create a new user by identifying them with their unique phone. This will create the new user and return a valid Session Token, completing the authentication flow.

Request

Response

HTTP/1.1 201 Created
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2MjEyODM3ODUsImlhdCI6MTYyMTI4Mzc4NSwianRpIjoiODcyYTY4YmUtMWQyZi00YzdlLTkzNmMtM2ViMjI0M2JlYWY5IiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjIxMzcwMTg1LCJ2ZXIiOjEsImFpZCI6IjMzNjc3MWZiLTExMmEtNDIwMy1iMTdkLTUwYWVhMzgxNTMwYiIsInVpZCI6IjAyOTNkZTRhLTNiY2YtNGVkYy04YjcwLWMwMTI5ZWY2YzMxZSJ9.Col81BiJLxYTkz-peEq6rio0JJR7jTdX2IBfBj3XtKypswv0PTt8vb_c9jhM_cnzJI_OjCSEJYbYf4-mrd_suQ

AnchorAuthenticating an existing user

  1. Submit the user’s phone, which will send them a one-time passcode via SMS.

Request

Response

HTTP/1.1 202 Accepted
  1. After prompting the user for their passcode, submit user’s phone along with the passcode. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.

Request

Response

HTTP/1.1 201 Created
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2MjEyODM3ODUsImlhdCI6MTYyMTI4Mzc4NSwianRpIjoiODcyYTY4YmUtMWQyZi00YzdlLTkzNmMtM2ViMjI0M2JlYWY5IiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjIxMzcwMTg1LCJ2ZXIiOjEsImFpZCI6IjMzNjc3MWZiLTExMmEtNDIwMy1iMTdkLTUwYWVhMzgxNTMwYiIsInVpZCI6IjAyOTNkZTRhLTNiY2YtNGVkYy04YjcwLWMwMTI5ZWY2YzMxZSJ9.Col81BiJLxYTkz-peEq6rio0JJR7jTdX2IBfBj3XtKypswv0PTt8vb_c9jhM_cnzJI_OjCSEJYbYf4-mrd_suQ

AnchorImplementing Email-based Authentication

AnchorAuthenticate a new user

You can create a new user by identifying them with their unique email. This will create the new user and return a valid Session Token, completing the authentication flow.

Request

Response

HTTP/1.1 201 Created
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2MjEyODM3ODUsImlhdCI6MTYyMTI4Mzc4NSwianRpIjoiODcyYTY4YmUtMWQyZi00YzdlLTkzNmMtM2ViMjI0M2JlYWY5IiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjIxMzcwMTg1LCJ2ZXIiOjEsImFpZCI6IjMzNjc3MWZiLTExMmEtNDIwMy1iMTdkLTUwYWVhMzgxNTMwYiIsInVpZCI6IjAyOTNkZTRhLTNiY2YtNGVkYy04YjcwLWMwMTI5ZWY2YzMxZSJ9.Col81BiJLxYTkz-peEq6rio0JJR7jTdX2IBfBj3XtKypswv0PTt8vb_c9jhM_cnzJI_OjCSEJYbYf4-mrd_suQ

AnchorAuthenticating an existing user

  1. Submit the user’s email, which will send them a one-time passcode via email.

Request

Response

HTTP/1.1 202 Accepted
  1. After prompting the user for their passcode, submit user’s email along with the passcode. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.

Request

Response

HTTP/1.1 201 Created
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2MjEyODM3ODUsImlhdCI6MTYyMTI4Mzc4NSwianRpIjoiODcyYTY4YmUtMWQyZi00YzdlLTkzNmMtM2ViMjI0M2JlYWY5IiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjIxMzcwMTg1LCJ2ZXIiOjEsImFpZCI6IjMzNjc3MWZiLTExMmEtNDIwMy1iMTdkLTUwYWVhMzgxNTMwYiIsInVpZCI6IjAyOTNkZTRhLTNiY2YtNGVkYy04YjcwLWMwMTI5ZWY2YzMxZSJ9.Col81BiJLxYTkz-peEq6rio0JJR7jTdX2IBfBj3XtKypswv0PTt8vb_c9jhM_cnzJI_OjCSEJYbYf4-mrd_suQ

Once you have obtained a Session Token, you are ready to talk to GraphQL and interact with the user’s financial data.

See our API Reference for additional authentication actions, including token introspection and revocation flows.