# Authentication

### API Username/Password

To connect to GraphQL, you will need an API username and password.

You can connect existing integrations or generate new API user credentials under **Settings** > [Integrations](https://dashboard.mytoggle.io/settings/integrations).  Choose the "Other" category for custom applications.

### Tokens

GraphQL uses JWT tokens to authenticate API requests. So before making any request to a protected resource, you'll need to make sure you have generated a valid token, as you'll need to include this in your authorization header on each request.

### Generating a token

To generate your token, use your API username/password to make a request to the `loginUser` query, which will return an Authorization header containing your token:

```graphql
query LoginUser {
    LoginUser(username: "abcDEFghi001",password: "Password123!") {
        id
    }
}
```

Note that you can login with either an **email** or a **username** via `loginUser`.

Your `X-Authorization` token is returned on the `loginUser` response. Note - there is currently `Authorization` and `X-Authorization` tokens returned (they are the same). We are depreciating the `Authorization` header, so use the `X-Authorization` header to futureproof the integration.

![Token](/files/BQgxWkybnr7aUY9wmAgR)

### Using tokens in requests

Whenever the user wants to access a protected route or resource, the user agent should send their token in the Authorization header using the Bearer schema. The content of the header should look like the following:

```
Authorization: Bearer 
```

### Refreshing tokens

As a token is time limited, it will require a refresh after 60 minutes.

When you make a new request and the Authorization header is returned, you should start using the new token for the next request.

You will need to programmatically update your token and store it securely in your system each time you retrieve a new token, using it until such time that it is refreshed.

### Authentication failure

If you are not authorised and you attempt to make a request to a protected query or mutation, the API will return JSON with errors.

```javascript
{
  "errors": [
    {
      "message": "Unauthorized",
      "locations": [
        {
          "line": 2,
          "column": 3
        }
      ],
      "customer_facing": false
    }
  ]
}
```

### Further reading

It is worthwhile reading the [introduction from JWT](https://jwt.io/introduction/) which summarises how JSON Web Tokens work for more information.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://developers.usetoggle.com/graphql/authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.