Issuing Session Tokens

Session tokens authenticate Profile-specific requests to the Connector and GraphQL API. Issue them server-side, use them client-side.

POSThttps://auth.quiltt.io/v1/users/sessionsCopy endpoint URL to clipboard

Required headers:

Link to this section#Existing Profile

Provide the Profile ID in the request body:

Link to this section#New Profile

Create a Profile and issue a token in one request. Optionally provide Profile attributes or your own UUID:

Link to this section#Best Practices

Link to this section#Cache Tokens

Session tokens last 24 hours. Cache client-side to avoid rate limits:

Link to this section#Revoke on Logout

Revoke tokens at logout to free rate limit quota:

Link to this section#Advanced

Link to this section#Update Profile Attributes

Provide optional attributes when issuing tokens for existing or new Profiles:

The supplied email and metadata will be persisted to the Profile for future use.

See the API reference for all supported attributes.

Link to this section#Custom Profile IDs

Provide your own UUID for new Profiles to maintain referential integrity with external systems:

Or create Profiles directly via the Platform API.

Link to this section#Self-Signed Tokens

Issue Session tokens on your server without calling the Auth API. Contact us to request a signing secret.

Link to this section#Troubleshooting

Link to this section#429 "Too Many Requests"

Hit the rate limit (10/hour or 20/day per Profile). Common causes:

1. Not caching tokens (issuing on every page load)
2. Not checking expiration (issuing when cache valid)
3. Not revoking on logout (old tokens count)

Fix:

• Cache tokens as shown in Best Practices
• Check expiration before issuing
• Revoke tokens on logout
• Switch to Basic Auth for server-side use