Authentication
Loading...
Loading...
Loading...
Quiltt supports multiple authorization scopes, depending on the level of access required.
Most API requests require a valid Authorization header, while pre-authenticated Connector interactions require a Session token to be passed to the SDK or via the Javascript API.
This scope is used by the Auth API to issue Session tokens and by the Platform API to interact with Profiles, ACH Account Numbers, Processor Tokens, and more.
API Secret Auth is only appropriate for server-to-server use. Never expose your API Key in client-side code, GitHub or other insecure locations.
To use API Secret Auth, pass your API Key secret as a Bearer token in the Authorization header.
This scope is used to interact with an individual Profile.
The most flexible way to use this scope is to issue a Session token for a Profile and pass it as a Bearer token in the Authorization header. This can be used to pre-authenticate the Quiltt Connector for a specific end-user and interact with their data in the Profile GraphQL API.
Because Session tokens are ephemeral in nature - expiring after 24 hours - they should be used by client-side code.
Session Token Auth is subject to per-profile rate limits, so be sure to cache and revoke Session tokens as appropriate. See the Rate Limits documentation for more information.
The Profile GraphQL API also supports Basic Authentication for server-to-server use. This allows you to authenticate with a Profile ID and your API Key secret, without having to issue a Session token.
To use Basic Auth, provide a Base64-encoded combination of a Profile ID and API Key secret, separated by a colon. Note that UUIDs are supported as well.
Basic Auth is only appropriate for server-to-server use. Never expose your API Key in client-side code, GitHub or other insecure locations.
Auth API Reference