Issuing Session tokens

Interacting with a Profile's data requires a valid Session token. The Session token scopes all API operations to a specific profile, ensuring that associated data is securely isolated.

Session tokens can be issued with a server-side POST call to the following endpoint:

POSThttps://auth.quiltt.io/v1/users/sessions

The following headers must be provided:

Authorization: Bearer <API_SECRET_KEY>
Content-Type: application/json

Link to this section#Authenticating an Existing Profile

To authenticate an existing Profile, provide their ID in the userId body param:

curl --request POST \
  --url 'https://auth.quiltt.io/v1/users/sessions' \
  --header 'Authorization: Bearer <API_SECRET_KEY>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "userId": "p_11ewrVkEnd7LIvSVAmt8XL5"
  }'

Successful responses will return a 201 HTTP response code, along with the Session token in the body:

{
  "token": "eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg",
  "expiration": 1672288186,
  "expiresAt": "2022-12-29T04:29:46Z",
  "userId": "p_11ewrVkEnd7LIvSVAmt8XL5"
}

Link to this section#Authenticating a New Profile

To authenticate a new Profile, skip the userId body param, or provide your own UUID to be assigned to the Profile.

curl --request POST \
  --url 'https://auth.quiltt.io/v1/users/sessions' \
  --header 'Authorization: Bearer <API_SECRET_KEY>' \
  --header 'Content-Type: application/json' \
  --data-raw '{}'

Successful responses will return a 201 HTTP status code and the Session token for the newly created Profile in the body:

{
  "token": "eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg",
  "expiration": 1672288186,
  "expiresAt": "2022-12-29T04:29:46Z",
  "userId": "p_11ewrVkEnd7LIvSVAmt8XL5"
}

Link to this section#Using the Session Token

Once you have a Session token, you can pre-authenticate your end-user to use the Connector, or interact with their financial data through the Profile GraphQL API.

Link to this section#Advanced

Link to this section#Updating Profile Attributes

Whether you're authenticating an existing Profile or a new Profile, you can provide optional attributes to set on the Profile, like so:

curl --request POST \
  --url 'https://auth.quiltt.io/v1/users/sessions' \
  --header 'Authorization: Bearer <API_SECRET_KEY>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
    "email": "[email protected]"
  }'

The Session will be created for a new Profile with the provided attributes. See the API reference for the full list of supported attributes.

Link to this section#Supplying IDs for New Profiles

To support referential integrity with other data systems, our authentication system is designed in an "import pipeline" style, backed by UUID primary keys. This means that instead of having Quiltt auto-assign random IDs to newly created Profiles, you can provide your own UUID that to be used as an identifer in the Quiltt system.

Note that at this time, only v4 UUIDs are supported.

Link to this section#Self-signed Session Tokens

In additional to issuing Session tokens through the Auth API, Quiltt also supports self-signed sessions. This allows you to issue Session tokens on your server, without having to call the Auth API. Please contact us to request a signing secret.