Issuing Session Tokens
Auth API Reference
Session Tokens are the primary way to authenticate user-specific interactions in Quiltt, including for Connector and the GraphQL API. The Session token scopes all operations to a specific Profile, ensuring that associated data is securely isolated.
Session tokens can be issued with a server-side POST call to the following endpoint:
POSThttps://auth.quiltt.io/v1/users/sessions
The following headers must be provided:
Link to this section#Authenticating an Existing Profile
To authenticate an existing Profile, provide their ID in the userId
body param:
Successful responses will return a 201
HTTP response code, along with the Session token in the body:
Link to this section#Authenticating a New Profile
To authenticate a Profile for an end-user unknown to Quiltt, skip the userId
body param, or provide your own UUID to be assigned to the newly created Profile.
Successful responses will return a 201
HTTP status code and the Session token for the newly created Profile in the body:
Make sure to persist the `userId`
Unless you're supplying your own UUIDs, be sure to should persist the auto-generated userId
in your system so you can re-authenticate the Profile in the future.
Link to this section#Using the Session Token
Once you have a Session token, you can pre-authenticate your end-user to use the Connector, or interact with their financial data through the Profile GraphQL API.
Link to this section#Advanced
Link to this section#Updating Profile Attributes
Whether you're authenticating an existing Profile or a new Profile, you can provide optional attributes to set on the Profile, like so:
The Session will be created and the provided attributes set on the Profile. See the API reference for the full list of supported attributes.
Link to this section#Supplying IDs for New Profiles
To support referential integrity with other data systems, our authentication system is designed in an "import pipeline" style, backed by UUID primary keys.
This means that instead of having Quiltt auto-generate IDs for newly created Profiles, you can provide your own UUID to be used as an identifier in the Quiltt system.
Link to this section#Self-signed Session Tokens
In additional to issuing Session tokens through the Auth API, Quiltt also supports self-signed sessions. This allows you to issue Session tokens on your server, without having to call the Auth API. Please contact us to request a signing secret.