Authentication How to use Client-Side Authentication

In this guide, we will show you how to generate Quiltt session tokens directly from your web or native app.

1 min read

Published

Updated


Quiltt's client-side authentication system combines the Sign up and Sign In actions into one flow, using one-time passcodes (OTP) to reduces onboarding friction and remove the need to store or exchange password.

To get started, you will need to have a Quiltt App configured with your desired authentication strategy. Currently, we support email-based and phone-based (SMS-based) authentication strategies.  The strategy will determine what will serve as the user's username (email|phone).

The flow:

  1. Your App sends the user's username (email|phone) to Quiltt's authentication endpoint.
  2. If no user is found with the given username (email|phone), the request will create a new user, and return a Session Token for that user, completing the flow.  
  3. If an existing user is found with the given username (email|phone), the request will issue a one-time passcode to the user (via email or SMS). Your application can then supply this passcode, along with the user's username (email|phone), and Quiltt will return a Session Token for the user.

The session token will be returned in the Authorization header as a Bearer token. You can authenticate with our GraphQL endpoint by providing this session token in the Authorization header.

Authenticating a user (phone-based strategy)

1. Submit phone

HTTP/1.1 201 Created
Authorization: Bearer TOKEN
Returns a Session Token for the newly created user.

Authenticating an existing user (phone-based strategy)

1. Submit phone

HTTP/1.1 202 Accepted
Sends the user a one-time passcode via SMS.

2. Submit phone with passcode

HTTP/1.1 201 Created
Authorization: Bearer TOKEN
Returns a Session Token for the existing user.

Once you have obtained a Session Token, you are ready to talk to GraphQL and interact with the user's financial data.

See our API Reference for additional authentication actions, including endpoints token introspection and revocation.