Authentication

Quiltt uses two authentication scopes: Environment-level for administrative operations, and Profile-level for user-specific data access.

Link to this section#Environment Scope

Use Environment scope for administrative operations: issuing Session tokens, managing Profiles, ACH Account Numbers, and Processor Tokens.

Server-side only. Never expose your API Key in client-side code or version control.

Pass your API Key as a Bearer token:

Authorization: Bearer <API_KEY_SECRET>

Use Profile scope to access an individual Profile's financial data via GraphQL or pre-authenticate the Connector.

Issue Session tokens server-side, then use them client-side for GraphQL queries or Connector authentication.

Authorization: Bearer <SESSION_TOKEN>

Properties:

Cache tokens client-side and revoke on logout to avoid hitting rate limits. See Issuing Session Tokens for implementation.

For server-to-server Profile access without Session token rate limits, use Basic Auth with Base64-encoded profileId:API_KEY_SECRET:

Authorization: Basic <Base64-encoded profileId:API_KEY_SECRET>

Examples:

const encoded = Buffer.from(`${profileId}:${API_KEY_SECRET}`).toString("base64")

encoded = base64.b64encode(f"{profileId}:{API_KEY_SECRET}".encode()).decode()

encoded = Base64.strict_encode64("#{profileId}:#{API_KEY_SECRET}")

$encoded = base64_encode($profileId . ":" . $API_KEY_SECRET);

Server-side only. Never expose your API Key in client-side code or version control.

New to Quiltt authentication? Try our Authentication Tutorial for a hands-on introduction with working code examples.

REST API Reference

For complete information on the available REST endpoints and schemas, explore the REST API Reference.

Quiltt uses two authentication scopes: Environment-level for administrative operations, and Profile-level for user-specific data access.

Use Environment scope for administrative operations: issuing Session tokens, managing Profiles, ACH Account Numbers, and Processor Tokens.

Server-side only. Never expose your API Key in client-side code or version control.

Pass your API Key as a Bearer token:

Authorization: Bearer <API_KEY_SECRET>

Use Profile scope to access an individual Profile's financial data via GraphQL or pre-authenticate the Connector.

Issue Session tokens server-side, then use them client-side for GraphQL queries or Connector authentication.

Authorization: Bearer <SESSION_TOKEN>

Properties:

Cache tokens client-side and revoke on logout to avoid hitting rate limits. See Issuing Session Tokens for implementation.

For server-to-server Profile access without Session token rate limits, use Basic Auth with Base64-encoded profileId:API_KEY_SECRET:

Authorization: Basic <Base64-encoded profileId:API_KEY_SECRET>

Examples:

const encoded = Buffer.from(`${profileId}:${API_KEY_SECRET}`).toString("base64")

encoded = base64.b64encode(f"{profileId}:{API_KEY_SECRET}".encode()).decode()

encoded = Base64.strict_encode64("#{profileId}:#{API_KEY_SECRET}")

$encoded = base64_encode($profileId . ":" . $API_KEY_SECRET);

Server-side only. Never expose your API Key in client-side code or version control.

New to Quiltt authentication? Try our Authentication Tutorial for a hands-on introduction with working code examples.

REST API Reference

For complete information on the available REST endpoints and schemas, explore the REST API Reference.