Authentication
How to retrieve and use a bearer token.
Last updated
How to retrieve and use a bearer token.
Last updated
To connect to GraphQL, you will need an API username and password.
You can connect existing integrations or generate new API user credentials under Settings > . Choose the "Other" category for custom applications.
GraphQL uses JWT tokens to authenticate API requests. So before making any request to a protected resource, you'll need to make sure you have generated a valid token, as you'll need to include this in your authorization header on each request.
To generate your token, use your API username/password to make a request to the loginUser query, which will return an Authorization header containing your token:
Note that you can login with either an email or a username via loginUser.
Your X-Authorization token is returned on the loginUser response. Note - there is currently Authorization and X-Authorization tokens returned (they are the same). We are depreciating the Authorization header, so use the X-Authorization header to futureproof the integration.
Whenever the user wants to access a protected route or resource, the user agent should send their token in the Authorization header using the Bearer schema. The content of the header should look like the following:
As a token is time limited, it will require a refresh after 60 minutes.
When you make a new request and the Authorization header is returned, you should start using the new token for the next request.
You will need to programmatically update your token and store it securely in your system each time you retrieve a new token, using it until such time that it is refreshed.
If you are not authorised and you attempt to make a request to a protected query or mutation, the API will return JSON with errors.
It is worthwhile reading the which summarises how JSON Web Tokens work for more information.
