Authentication
Auth API Reference
For complete information on the available endpoints and schemas available in the Auth API, explore the API Reference.
Authenticated API requests require a valid Bearer token, passed in via the Authorization header. There are two authorization scopes:
- Deployment-level authorization uses a deployment's API Secret as a bearer token
- User-level authorization uses a user's Session Token as a bearer token
Link to this section#Deployment-level authorization
Deployment-level requests require authorization via your API Secret and allow you to manage your users, issue session tokens and obtain sensitive financial data such as ACH account numbers.
This authorization scope is only appropriate for server-to-server use and should never be used in client-side code.
Link to this section#Checking your API Secret
GEThttps://auth.quiltt.io/v1/deployment
You can check if your API Secret is valid by passing it in the Authorization header:
curl --request GET \ --url 'https://auth.quiltt.io/v1/deployment' \ --header 'Authorization: Bearer {{APP_SECRET}}'
Successful responses will return a 200 HTTP response code, along with the information about your deployment in the body:
{ "id": "7d86b825-f937-4cb5-97cc-384603736d7b", "name": "API", "environment": { "id": "06559c18-7e0d-4a45-b3a3-b0853af1d9fd", "mode": "SANDBOX", "name": "Sandbox" } }
Link to this section#User-level authorization
User-specific requests require authentication via a user's Session Token and allow you to interact with a user's financial data via the GraphQL API or to load the Quiltt Widget for the user.
The Issuing Session Tokens guide shows you how to generate a Session Token on behalf of your user, authenticating via your API Secret. This can also be used to import/sync your pre-existing users into Quiltt.
See the Auth API Reference for full documentation of the supported endpoints.