Skip to main content



The Quiltt API uses Bearer Tokens for authentication. There are two types of tokens, depending on the scope of authorization required: Deployment Secrets and Session Tokens.

AnchorSession Token

Session Tokens are short-lived, user-specific tokens used to interact with a specific user’s data in GraphQL. They are valid for the duration of an active Session, and, when properly handled, can be used client-side.

Authorization: Bearer {{SESSION_TOKEN}}

There are several flows to create a Session Token, depending on your use-case. These approaches support authenticating existing users, as well as creating new users on the fly.

  • The Server-Side flow allows your server to generate a Session Token on behalf of a user, authenticating via your Deployment Secret.

  • The Passwordless flow allows your end-user to generate a Session Token on their own behalf, authenticating via a one-time passcode sent to their phone or email.

AnchorDeployment Secret

The Deployment Secret is a persistent token used to administer your deployment and manage its data and user profiles. It should only be used for server-to-server communication and should never be exposed in client-side code.

Authorization: Bearer {{DEPLOYMENT_SECRET}}