How to Implement Passwordless Auth
Quiltt's passwordless authentication system combines the Sign up and Sign In user actions into one flow, using one-time passcodes (OTP) to reduce onboarding friction and remove the need to store or exchange passwords.
To get started, you will need to have a Quiltt Deployment configured with your desired authentication strategy. Currently, we support email-based and SMS-based authentication strategies. The strategy will determine what will serve as the user's username (email
|phone
).
Link to this section#The Passwordless Flow
- Your application sends the user's username (
email
|phone
) to Quiltt's authentication endpoint. - If no user is found with the given username (
email
|phone
), the request will create a new user, and return a Session Token for that user, completing the flow. - If an existing user is found with the given username (
email
|phone
), the request will issue a one-time passcode to the user (via email or SMS). Your application can then supply this passcode, along with the user's username (email
|phone
), and Quiltt will return a Session Token for the user.
The Session Token will be returned in the Authorization
header as a Bearer token. You can authenticate with our GraphQL endpoint by providing this Session Token in the Authorization
header.
Link to this section#Implementing SMS-based Authentication
POSThttps://auth.quiltt.io/v1/users/sessions
Link to this section#Authenticating a new user
You can create a new user by identifying them with their unique phone
. This will create the new user and return a valid Session Token, completing the authentication flow.
Link to this section#Request
POST /v1/users/session HTTP/1.1
Content-Type: application/json
Host: auth.quiltt.io
Content-Length: 87
{
"deploymentId": "api_17NOEwVGcvyOqplnQdD27gY",
"phone": "+12223334444"
}
Link to this section#Response
HTTP/1.1 201 Created
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg
Link to this section#Authenticating an existing user
Submit the user's
phone
, which will send them a one-time passcode via SMS.Link to this section#Request
POST /v1/users/session HTTP/1.1 Content-Type: application/json Host: auth.quiltt.io Content-Length: 87 { "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY", "phone": "+12223334444" }
Link to this section#Response
HTTP/1.1 202 Accepted
After prompting the user for their passcode, submit user's
phone
along with thepasscode
. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.Link to this section#Request
curl -X POST \ https://auth.quiltt.io/v1/users/session \ -H 'Content-Type: application/json' \ -d '{ "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY", "phone": "+12223334444", "passcode": "000000" }'
Link to this section#Response
HTTP/1.1 201 Created Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg
Link to this section#Implementing Email-based Authentication
POSThttps://auth.quiltt.io/v1/users/sessions
Link to this section#Authenticate a new user
You can create a new user by identifying them with their unique email
. This will create the new user and return a valid Session Token, completing the authentication flow.
Link to this section#Request
POST /v1/users/session HTTP/1.1
Content-Type: application/json
Host: auth.quiltt.io
Content-Length: 89
{
"deploymentId": "api_17NOEwVGcvyOqplnQdD27gY",
"email": "test@quiltt.io"
}
Link to this section#Response
HTTP/1.1 201 Created
Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg
Link to this section#Authenticating an existing user
Submit the user's
email
, which will send them a one-time passcode via email.Link to this section#Request
POST /v1/users/session HTTP/1.1 Content-Type: application/json Host: auth.quiltt.io Content-Length: 89 { "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY", "email": "test@quiltt.io" }
Link to this section#Response
HTTP/1.1 202 Accepted
After prompting the user for their passcode, submit user's
email
along with thepasscode
. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.Link to this section#Request
POST /v1/users/session HTTP/1.1 Content-Type: application/json Host: auth.quiltt.io Content-Length: 113 { "deploymentId": "api_17NOEwVGcvyOqplnQdD27gY", "email": "test@quiltt.io", "passcode": "000000" }
Link to this section#Response
HTTP/1.1 201 Created Authorization: Bearer eyJhbGciOiJIUzUxMiJ9.eyJuYmYiOjE2NzE4MjI5MTIsImlhdCI6MTY3MTgyMjkxMiwianRpIjoiNDU1MWNhNDktYzAwMi00ZDliLTkyZWMtNDY1MDE4ZTI4ZmRjIiwiaXNzIjoiYXV0aC5xdWlsdHQuaW8iLCJhdWQiOiJhcGkucXVpbHR0LmlvIiwiZXhwIjoxNjcxOTA5MzEyLCJ2ZXIiOjIsImRpZCI6ImFwaV8xN05PRXdWR2N2eU9xcGxuUWREMjdnWSIsInVpZCI6InBfMTFld3JWa0VuZDdMSXZTVkFtdDhYTDUifQ.5tYTjr_k0GKG6LsaAEt3V0RAiJe9UU59USUAASJTXf5e1923njb4UqYUozAVm34fARXT-SRvlE1-_J4wdiVNwg
Once you have obtained a Session Token, you are ready to talk to GraphQL and interact with the user's financial data.
See our API Reference for additional authentication actions, including token introspection and revocation flows.