Authentication How to implement Server-Side Authentication

In this guide, we will show you how to generate Quiltt session tokens on behalf of your users, using your App Secret.

2 min read

Published

Updated


Interacting with user-specific data in Quiltt requires a valid User Session Token. This token scopes all API operations to a specific user, ensuring that each user's data is securely isolated.

To make referential integrity easy, our API is designed in an "importer pipeline" style, backed by UUIDs. This means that you can generate or otherwise provide your own ID as the primary key for a user in Quiltt. You can think of Quiltt as an extension to your data infrastructure.

To create a User Session, use your App Secret as a Bearer Token while optionally providing profile details to write to the user. This works the same regardless of whether you are registering a new user, or creating a session for an existing user.

We also support self-signed sessions.  Please contact us at support@quiltt.io to obtain a signing secret.

How to Authenticate a New User

Without profile attributes

HTTP/1.1 201 Created
Content-Type: application/json; charset=utf-8

{
  "id": "50fb243c-6d2e-45ba-b1a2-1b9774876a7c",
  "expiration": 1621370019,
  "userId": "f5db0067-3482-4a3a-b05c-7b1b560d1fae",
  "token": <USER_SESSION_TOKEN>
}
Creates and authenticates a new user, assigning a random UUID that you should persist.

With profile attributes

HTTP/1.1 201 Created
Content-Type: application/json; charset=utf-8

{
  "id": "2b853926-b456-473e-b5ff-e02b5fa61d69",
  "expiration": 1621370019,
  "user_id": "11111111-1111-1111-1111-111111111111",
  "token": <USER_SESSION_TOKEN>
}
Creates and authenticates a new user, assigning them the given profile attributes.

With an ID

HTTP/1.1 201 Created
Content-Type: application/json; charset=utf-8

{
  "id": "2b853926-b456-473e-b5ff-e02b5fa61d69",
  "expiration": 1621370019,
  "userId": "11111111-1111-1111-1111-111111111111",
  "token": <USER_SESSION_TOKEN>
}
Creates and authenticates a new user, assigning them the given ID.

How to Authenticate an Existing User

Find user by UUID

HTTP/1.1 201 Created
Content-Type: application/json; charset=utf-8

{
  "id": "94204d21-61dc-42df-8ca9-66546caaa4e3",
  "expiration": 1621370019,
  "userId": "11111111-1111-1111-1111-111111111111",
  "token": <USER SESSION TOKEN>
}
Authenticates existing user, found by the given ID.

Find user by UUID and update profile

HTTP/1.1 201 Created
Content-Type: application/json; charset=utf-8

{
  "id": "d0866007-52fa-4cfc-a0d0-cd5ad0fb9a00",
  "expiration": 1621370019,
  "userId": "11111111-1111-1111-1111-111111111111",
  "token": <USER SESSION TOKEN>
}
Authenticates existing user, found by the given ID, and assigning them the given profile attributes.

Once you have obtained a User Session Token, you are ready to talk to GraphQL and interact with the user's financial data.

See our API Reference for additional authentication actions, including token introspection and revocation flows.