Quiltt Logo

How to Implement Passwordless Auth

Quiltt's passwordless authentication system combines the Sign up and Sign In user actions into one flow, using one-time passcodes (OTP) to reduce onboarding friction and remove the need to store or exchange passwords.

To get started, you will need to have a Quiltt Deployment configured with your desired authentication strategy. Currently, we support email-based and SMS-based authentication strategies. The strategy will determine what will serve as the user's username (email|phone).

Link to this section#The Passwordless Flow

  1. Your application sends the user's username (email|phone) to Quiltt's authentication endpoint.
  2. If no user is found with the given username (email|phone), the request will create a new user, and return a Session Token for that user, completing the flow.
  3. If an existing user is found with the given username (email|phone), the request will issue a one-time passcode to the user (via email or SMS). Your application can then supply this passcode, along with the user's username (email|phone), and Quiltt will return a Session Token for the user.

The Session Token will be returned in the Authorization header as a Bearer token. You can authenticate with our GraphQL endpoint by providing this Session Token in the Authorization header.

Link to this section#Implementing SMS-based Authentication

POSThttps://auth.quiltt.io/v1/users/sessions

Link to this section#Authenticating a new user

You can create a new user by identifying them with their unique phone. This will create the new user and return a valid Session Token, completing the authentication flow.

Link to this section#Request

POST /v1/users/session HTTP/1.1
Content-Type: application/json
Host: auth.quiltt.io
Content-Length: 87
{
  "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY",
  "phone": "+12223334444"
}

Link to this section#Response

HTTP/1.1 201 Created
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg

Link to this section#Authenticating an existing user

  1. Submit the user's phone, which will send them a one-time passcode via SMS.

    Link to this section#Request

    POST /v1/users/session HTTP/1.1
    Content-Type: application/json
    Host: auth.quiltt.io
    Content-Length: 87
    {
      "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY",
      "phone": "+12223334444"
    }
    

    Link to this section#Response

    HTTP/1.1 202 Accepted
    
  2. After prompting the user for their passcode, submit user's phone along with the passcode. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.

    Link to this section#Request

    curl -X POST \
    https://auth.quiltt.io/v1/users/session \
    -H 'Content-Type: application/json' \
    -d '{
      "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY",
      "phone": "+12223334444",
      "passcode": "000000"
    }'
    

    Link to this section#Response

    HTTP/1.1 201 Created
    Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg
    

Link to this section#Implementing Email-based Authentication

POSThttps://auth.quiltt.io/v1/users/sessions

Link to this section#Authenticate a new user

You can create a new user by identifying them with their unique email. This will create the new user and return a valid Session Token, completing the authentication flow.

Link to this section#Request

POST /v1/users/session HTTP/1.1
Content-Type: application/json
Host: auth.quiltt.io
Content-Length: 89
{
  "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY",
  "email": "test@quiltt.io"
}

Link to this section#Response

HTTP/1.1 201 Created
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg

Link to this section#Authenticating an existing user

  1. Submit the user's email, which will send them a one-time passcode via email.

    Link to this section#Request

    POST /v1/users/session HTTP/1.1
    Content-Type: application/json
    Host: auth.quiltt.io
    Content-Length: 89
    {
      "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY",
      "email": "test@quiltt.io"
    }
    

    Link to this section#Response

    HTTP/1.1 202 Accepted
    
  2. After prompting the user for their passcode, submit user's email along with the passcode. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.

    Link to this section#Request

    POST /v1/users/session HTTP/1.1
    Content-Type: application/json
    Host: auth.quiltt.io
    Content-Length: 113
    {
      "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY",
      "email": "test@quiltt.io",
      "passcode": "000000"
    }
    

    Link to this section#Response

    HTTP/1.1 201 Created
    Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg
    

Once you have obtained a Session Token, you are ready to talk to GraphQL and interact with the user's financial data.

See our API Reference for additional authentication actions, including token introspection and revocation flows.