Authentication

Authenticated API requests require a valid Authorization header. There are two authorization scopes: Environment-level and Profile-level.

Link to this section#Environment-level

This scope is used to manage Profiles, issue Session tokens and obtain sensitive financial data such as ACH account numbers.

Link to this section#API Secret Auth

To use API Secret Auth, pass your API Key secret as a Bearer token in the Authorization header. This is only appropriate for server-to-server use and should never be used in client-side code.

Authorization: Bearer <API_KEY_SECRET>

Link to this section#Profile-level

This scope is used to interact with an individual Profile's data.

Link to this section#Session Token Auth

The most secure and flexible way to use this scope is to issue a Session token for a Profile and pass it as a Bearer token in the Authorization header. This provides access to the Profile GraphQL API and can be used to pre-authenticate the Quiltt Connector for a specific end-user.

Because Session tokens are ephemeral in nature, they can be used in both server-side and client-side code.

Authorization: Bearer <SESSION_TOKEN>

Link to this section#Basic Auth

The GraphQL API also supports Basic Auth, for server-to-server use-cases. This allows you to authenticate with a Profile ID and your API Key secret, instead of generating Session tokens.

To use Basic Auth, provide a Base64-encoded combination of a Profile ID and API Key secret, separated by a colon.

Authorization: Basic <Base64-encoded profileId:API_KEY_SECRET>

Here's an example using Ruby: Base64.strict_encode64("#{profile_id}:#{API_KEY_SECRET}"