How to Implement Passwordless Auth
Quiltt's passwordless authentication system combines the Sign up and Sign In user actions into one flow, using one-time passcodes (OTP) to reduce onboarding friction and remove the need to store or exchange passwords.
To get started, you will need to have a Quiltt Deployment configured with your desired authentication strategy. Currently, we support email-based and SMS-based authentication strategies. The strategy will determine what will serve as the user's username (email
|phone
).
Link to this section#The Passwordless Flow
- Your application sends the user's username (
email
|phone
) to Quiltt's authentication endpoint. - If no user is found with the given username (
email
|phone
), the request will create a new user, and return a Session Token for that user, completing the flow. - If an existing user is found with the given username (
email
|phone
), the request will issue a one-time passcode to the user (via email or SMS). Your application can then supply this passcode, along with the user's username (email
|phone
), and Quiltt will return a Session Token for the user.
The Session Token will be returned in the Authorization
header as a Bearer token. You can authenticate with our GraphQL endpoint by providing this Session Token in the Authorization
header.
Link to this section#Implementing SMS-based Authentication
POSThttps://auth.quiltt.io/v1/users/sessions
Link to this section#Authenticating a new user
You can create a new user by identifying them with their unique phone
. This will create the new user and return a valid Session Token, completing the authentication flow.
Link to this section#Request
Link to this section#Response
Link to this section#Authenticating an existing user
Submit the user's
phone
, which will send them a one-time passcode via SMS.Link to this section#Request
Link to this section#Response
After prompting the user for their passcode, submit user's
phone
along with thepasscode
. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.Link to this section#Request
Link to this section#Response
Link to this section#Implementing Email-based Authentication
POSThttps://auth.quiltt.io/v1/users/sessions
Link to this section#Authenticate a new user
You can create a new user by identifying them with their unique email
. This will create the new user and return a valid Session Token, completing the authentication flow.
Link to this section#Request
Link to this section#Response
Link to this section#Authenticating an existing user
Submit the user's
email
, which will send them a one-time passcode via email.Link to this section#Request
Link to this section#Response
After prompting the user for their passcode, submit user's
email
along with thepasscode
. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.Link to this section#Request
Link to this section#Response
Once you have obtained a Session Token, you are ready to talk to GraphQL and interact with the user's financial data.
See our API Reference for additional authentication actions, including token introspection and revocation flows.