Quiltt Logo

Authentication

Quiltt supports multiple authorization scopes, depending on the level of access required.

Most API requests require a valid Authorization header, while pre-authenticated Connector interactions require a Session token to be passed to the SDK or via the Javascript API.

Link to this section#Environment Scope

This scope is used to issue Session tokens in the Auth API and to interact with Profiles, Webhooks, Remote Data, and ACH Account numbers in the Platform API.

Link to this section#API Secret Auth

API Secret Auth is only appropriate for server-to-server use. Never expose your API Key in client-side code, GitHub or other insecure locations.

To use API Secret Auth, pass your API Key secret as a Bearer token in the Authorization header.

Authorization: Bearer <API_KEY_SECRET>

Link to this section#Profile Scope

This scope is used to interact with an individual Profile.

Link to this section#Session Token Auth

The most secure and flexible way to use this scope is to issue a Session token for a Profile and pass it as a Bearer token in the Authorization header. This can be used to pre-authenticate the Quiltt Connector for a specific end-user and interact with their data in the Profile GraphQL API.

Because Session tokens are ephemeral in nature, they can be used in both server-side and client-side code.

Authorization: Bearer <SESSION_TOKEN>

Link to this section#Basic Auth

The Profile GraphQL API also supports Basic Authentication for server-to-server use. This allows you to authenticate with a Profile ID and your API Key secret, without having to issue a Session token.

Basic Auth is only appropriate for server-to-server use. Never expose your API Key in client-side code, GitHub or other insecure locations.

To use Basic Auth, provide a Base64-encoded combination of a Profile ID and API Key secret, separated by a colon.

Authorization: Basic <Base64-encoded profileId:API_KEY_SECRET>

Link to this section#Examples

encoded = Base64.strict_encode64("#{profileId}:#{API_KEY_SECRET}")

Auth API Reference

For complete information on the available endpoints and schemas available in the Auth API, explore the API Reference.