Quiltt Logo

How to Implement Passwordless Auth

Quiltt's passwordless authentication system combines the Sign up and Sign In user actions into one flow, using one-time passcodes (OTP) to reduce onboarding friction and remove the need to store or exchange passwords.

To get started, you will need to have a Quiltt Deployment configured with your desired authentication strategy. Currently, we support email-based and SMS-based authentication strategies. The strategy will determine what will serve as the user's username (email|phone).

Link to this section#The Passwordless Flow

  1. Your application sends the user's username (email|phone) to Quiltt's authentication endpoint.
  2. If no user is found with the given username (email|phone), the request will create a new user, and return a Session Token for that user, completing the flow.
  3. If an existing user is found with the given username (email|phone), the request will issue a one-time passcode to the user (via email or SMS). Your application can then supply this passcode, along with the user's username (email|phone), and Quiltt will return a Session Token for the user.

The Session Token will be returned in the Authorization header as a Bearer token. You can authenticate with our GraphQL endpoint by providing this Session Token in the Authorization header.

Link to this section#Implementing SMS-based Authentication

POSThttps://auth.quiltt.io/v1/users/sessions

Link to this section#Authenticating a new user

You can create a new user by identifying them with their unique phone. This will create the new user and return a valid Session Token, completing the authentication flow.

Link to this section#Request

Link to this section#Response

Link to this section#Authenticating an existing user

  1. Submit the user's phone, which will send them a one-time passcode via SMS.

    Link to this section#Request

    Link to this section#Response

  2. After prompting the user for their passcode, submit user's phone along with the passcode. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.

    Link to this section#Request

    Link to this section#Response

Link to this section#Implementing Email-based Authentication

POSThttps://auth.quiltt.io/v1/users/sessions

Link to this section#Authenticate a new user

You can create a new user by identifying them with their unique email. This will create the new user and return a valid Session Token, completing the authentication flow.

Link to this section#Request

Link to this section#Response

Link to this section#Authenticating an existing user

  1. Submit the user's email, which will send them a one-time passcode via email.

    Link to this section#Request

    Link to this section#Response

  2. After prompting the user for their passcode, submit user's email along with the passcode. If the combination is valid, this will authenticate the user and you will receive a valid Session Token, completing the authentication flow.

    Link to this section#Request

    Link to this section#Response

Once you have obtained a Session Token, you are ready to talk to GraphQL and interact with the user's financial data.

See our API Reference for additional authentication actions, including token introspection and revocation flows.