Authentication
Quiltt supports multiple authorization scopes, depending on the level of access required.
Most API requests require a valid Authorization
header, while pre-authenticated Connector interactions require a Session token to be passed to the SDK or via the Javascript API.
Link to this section#Environment Scope
This scope is used to issue Session tokens in the Auth API and to interact with Profiles, Webhooks, Remote Data, and ACH Account numbers in the Platform API.
Link to this section#API Secret Auth
API Secret Auth is only appropriate for server-to-server use. Never expose your API Key in client-side code, GitHub or other insecure locations.
To use API Secret Auth, pass your API Key secret as a Bearer token in the Authorization
header.
Authorization: Bearer <API_KEY_SECRET>
Link to this section#Profile Scope
This scope is used to interact with an individual Profile.
Link to this section#Session Token Auth
The most secure and flexible way to use this scope is to issue a Session token for a Profile and pass it as a Bearer token in the Authorization
header. This can be used to pre-authenticate the Quiltt Connector for a specific end-user and interact with their data in the Profile GraphQL API.
Because Session tokens are ephemeral in nature, they can be used in both server-side and client-side code.
Authorization: Bearer <SESSION_TOKEN>
Link to this section#Basic Auth
The Profile GraphQL API also supports Basic Authentication for server-to-server use. This allows you to authenticate with a Profile ID and your API Key secret, without having to issue a Session token.
Basic Auth is only appropriate for server-to-server use. Never expose your API Key in client-side code, GitHub or other insecure locations.
To use Basic Auth, provide a Base64-encoded combination of a Profile ID and API Key secret, separated by a colon.
Authorization: Basic <Base64-encoded profileId:API_KEY_SECRET>
Link to this section#Examples
encoded = Base64.strict_encode64("#{profileId}:#{API_KEY_SECRET}")
Auth API Reference