Authentication
Authenticated API requests require a valid Authorization
header. There are two authorization scopes: Environment-level and Profile-level.
Link to this section#Environment-level
This scope is used to manage Profiles, issue Session tokens and obtain sensitive financial data such as ACH account numbers.
Link to this section#API Secret Auth
To use API Secret Auth, pass your API Key secret as a Bearer token in the Authorization
header. This is only appropriate for server-to-server use and should never be used in client-side code.
Authorization: Bearer <API_KEY_SECRET>
Link to this section#Profile-level
This scope is used to interact with an individual Profile's data.
Link to this section#Session Token Auth
The most secure and flexible way to use this scope is to issue a Session token for a Profile and pass it as a Bearer token in the Authorization
header. This provides access to the Profile GraphQL API and can be used to pre-authenticate the Quiltt Connector for a specific end-user.
Because Session tokens are ephemeral in nature, they can be used in both server-side and client-side code.
Authorization: Bearer <SESSION_TOKEN>
Link to this section#Basic Auth
The GraphQL API also supports Basic Auth, for server-to-server use-cases. This allows you to authenticate with a Profile ID and your API Key secret, instead of generating Session tokens.
To use Basic Auth, provide a Base64-encoded combination of a Profile ID and API Key secret, separated by a colon.
Authorization: Basic <Base64-encoded profileId:API_KEY_SECRET>
Here's an example using Ruby: Base64.strict_encode64("#{profile_id}:#{API_KEY_SECRET}"
Auth API Reference
For complete information on the available endpoints and schemas available in the Auth API, explore the API Reference.