Authentication

Authenticated API requests require a valid Authorization header. There are two authorization scopes: Environment-level and Profile-level.

Link to this section#Environment-level

This scope is used to manage Profiles, issue Session tokens and obtain sensitive financial data such as ACH account numbers.

Using this scope requires passing your API Key secret as a Bearer token. This is only appropriate for server-to-server use and should never be used in client-side code.

Link to this section#Profile-level

This scope is used to interact with an individual Profile's data.

Link to this section#Session tokens

The most secure and flexible way to use this scope is to issue a Session token for a Profile and pass it as a Bearer token. This provides access to the Profile GraphQL API and can be used to pre-authenticate the Quiltt Connector for a specific end-user.

Because Session tokens are ephemeral in nature, they can be safely used in both server-side and client-side code.

Link to this section#Basic Auth

The GraphQL API also supports Basic Auth, for server-to-server use-cases. This allows you to authenticate with a Profile ID and your API Key secret, instead of generating Session token.

To use Basic Auth, provide a Base64-encoded combination of a Profile ID and API Key secret, separated by a colon.

Here's an example using Ruby: Base64.strict_encode64("#{profile_id}:#{API_KEY_SECRET}"