Skip to main content

How to use Client-Side Authentication

Authentication

In this guide, we will show you how to generate Quiltt session tokens directly from your web or native app.

Quiltt's client-side authentication system combines the Sign up and Sign In actions into one flow, using one-time passcodes (OTP) to reduces onboarding friction and remove the need to store or exchange password.

To get started, you will need to have a Quiltt App configured with your desired authentication strategy. Currently, we support email-based and phone-based (SMS-based) authentication strategies.  The strategy will determine what will serve as the user's username (email|phone).

The flow:

  1. Your App sends the user's username (email|phone) to Quiltt's authentication endpoint.
  2. If no user is found with the given username (email|phone), the request will create a new user, and return a Session Token for that user, completing the flow.  
  3. If an existing user is found with the given username (email|phone), the request will issue a one-time passcode to the user (via email or SMS). Your application can then supply this passcode, along with the user's username (email|phone), and Quiltt will return a Session Token for the user.

The session token will be returned in the Authorization header as a Bearer token. You can authenticate with our GraphQL endpoint by providing this session token in the Authorization header.

Authenticating a user (phone-based strategy)

1. Submit phone

HTTP/1.1 201 Created
Authorization: Bearer TOKEN
Returns a Session Token for the newly created user.

Authenticating an existing user (phone-based strategy)

1. Submit phone

HTTP/1.1 202 Accepted
Sends the user a one-time passcode via SMS.

2. Submit phone with passcode

HTTP/1.1 201 Created
Authorization: Bearer TOKEN
Returns a Session Token for the existing user.

Once you have obtained a User Session Token, you are ready to talk to GraphQL and interact with the customer's financial data.

See our API Reference for additional authentication actions, including endpoints token introspection and revocation.