Quiltt Logo

Issuing session tokens

Auth API Reference

For complete information on the available endpoints and schemas available in the Auth API, explore the API Reference.

Interacting with user-specific data in Quiltt requires a valid session token. The session token scopes all API operations to a specific user, ensuring that each user's data is securely isolated.

Session tokens can be issued with a server-side POST call to the following endpoint:


The following headers must be provided:

Authorization: Bearer {{API_SECRET}} Content-Type: application/json

Link to this section#Authenticating an Existing User

To authenticate an existing user, provide their userId as a body param:

curl --request POST \ --url 'https://auth.quiltt.io/v1/users/sessions' \ --header 'Authorization: Bearer {{API_SECRET}}' \ --header 'Content-Type: application/json' \ --data-raw '{ "userId": "368ed6b0-f8e3-40f5-a20b-aa5a95488ecf" }'

Successful responses will return a 201 HTTP response code, along with the user's session token in the body:

{ "token": "eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NjMwODU3NjUsImlhdCI6MTY2MzA4NTc2NSwianRpIjoiMzlhNjU0YzgtNDliMC00YTRiLWEzNmEtZWIwOGQ0YzQwY2E1IiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjYzMTcyMTY1LCJ2ZXIiOjJ9.vJ29wrbbcgBP6KyfI876hLJ9_2wsbQ3aeCl4U7fwAVnk2-_4VoGFLOFcKN0831jqzSvDqEN8AsFVoHIyoyUc2g", "expiration": 1621370019, "userId": "368ed6b0-f8e3-40f5-a20b-aa5a95488ecf" }

Link to this section#Authenticating a New User

To authenticate a new user, skip the userId body param, or provide your own UUID to be set as the user's primary key:

curl --request POST \ --url 'https://auth.quiltt.io/v1/users/sessions' \ --header 'Authorization: Bearer {{API_SECRET}}' \ --header 'Content-Type: application/json' \ --data-raw '{}'

Successful responses will return a 201 HTTP status code, along with a user session token for the new user in the body:

{ "token": "eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NjMwODYwNzcsImlhdCI6MTY2MzA4NjA3NywianRpIjoiZDMyYTM1N2MtNTgxNC00MDJhLWE0NzMtYjNkMjAxYzY3MWE5IiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjYzMTcyNDc3LCJ2ZXIiOjJ9.P628to8t2ta51yU_35pO7AlvA5b4UXa03YZDC17nxAOZQRkNT4XEycKj-8vVlPEOkTPHoF-hi3NpTn_3vjXphQ", "expiration": 1621370441, "userId": "f5db0067-3482-4a3a-b05c-7b1b560d1fae" }

Make sure to persist the `userId`

If you did not provide your own userId for the new user, you must persist the auto-generated userId in your system so you can re-authenticate this user in the future.

Link to this section#Using the Session Token

Once you have obtained a session token, you are can make authenticated requests to GraphQL and interact with the user's financial data.

Link to this section#Advanced

Link to this section#Updating Profile Attributes

Whether you're authenticating an existing user or a new user, you can provide optional profile attributes to set on the user. See the API reference for documentation.

Link to this section#Supplying an ID for New Users

For optimal support for referential integrity, our authentication system is designed in an "import pipeline" style, backed by UUID primary keys. This means that instead of Quiltt assigning user IDs to newly created users, you can provide your own userId for Quiltt to persist as the the primary identifier for a user. This allows Quiltt to seamlessly serve as an extension to your data infrastructure.

Note that at this time, only v4 UUIDs are supported.

Link to this section#Self-signed Sessions

In additional to issuing sessions through the Auth API, Quiltt also supports self-signed sessions. This allows you to issue session tokens on your end, without calling the Auth API. Please contact us to request a signing secret.