Authenticate GraphQL Requests¶
Overview¶
Stitch enforces collection rules for all GraphQL operations. This means that all GraphQL requests must be made by a logged in user of your Stitch application.
The GraphQL API uses Stitch client access tokens to authorize requests. This guide demonstrates how to get a valid access token for a user and how to refresh the access token after it expires.
Example
The following request demonstrates how to include an access token for
a user with each request. Replace <Access Token>
with the
access_token
value that you want to use.
Get a Client API Access Token¶
To get an access token, you need to authenticate with the Stitch Client
HTTP API using the user’s login credentials. The Client API
authentication endpoints accept valid user credentials in the body of a
POST
request and use the following URL form:
Example
The following request authenticates a Stitch user with the client API. The request body specifies the user’s login credentials.
- Anonymous
- Email/Password
- API Key Authentication
- Custom
The authentication request is successful, so the response body
includes access_token
and refresh_token
values for the user.
Each of these values is a JSON web token string that identifies the
authenticated user and authorizes requests on their behalf.
Refresh a Client API Access Token¶
Access tokens expire 30 minutes after Stitch grants them. When an access token expires, you can either request another access token using the user’s credentials or use the refresh token to request a new access token with including the user’s credentials.
The Client API session refresh endpoint accepts a POST
request that
includes the refresh token in the Authorization
header and uses the
following URL:
Example
The following request demonstrates how to use a refresh token to get a
new, valid access token. Replace <Refresh Token>
with the
refresh_token
value for the access token that you want to refresh.