Skip to content

Authentication

When you want to secure your API and ensure that certain resources and mutations are only accessible by a limited set of users, you have to have a way to authenticate the current user.

Slicknode accepts JSON Web Tokens to authenticate users that are making requests to the GraphQL endpoint. JWT-Tokens are secure, temporary tokens that are generated by the Slicknode API and contain information about the current user that obtained the token.

Authentication Process

The authentication process always follows the following simple steps:

  1. Get Access Token: Use a mutation of an authentication module to obtain the access token. For example you could send the email address and password of a user to the loginEmailPassword mutation from your client application. This mutation then returns the temporary tokens as the payload for the next step.
  2. Query-API: Send the accessToken in the Authorization header of the requests to your API. For example when using CURL:

    curl -X POST https://my-project.us-east-1.slicknode.com \
        -H "Content-Type: application/json" \
        -H "Authorization: Bearer <accessToken>" \
        -d '{"query": "{viewer {user: {firstName}}}"}'
    
  3. Refresh Token: (optional) When the accessToken expires after the accessTokenLifetime, you can use the refreshToken to programmatically obtain a new accessToken via the refreshToken mutation:

    mutation RefreshToken($refreshToken: String!) {
        refreshToken(input: {refreshToken: $refreshToken}) {
             # The new access token:
            accessToken
            # The duration in seconds after which the accessToken expires:
            accessTokenLifetime
    
            # A new refresh token
            refreshToken
            # Duration in seconds after which the refreshToken expires
            refreshTokenLifetime
        }
    }
    

    Note

    Every refreshToken can only be used once and will only work when the user is still active. If you need to refresh the token another time, use the refreshToken that was returned in the mutation payload of the refreshToken mutation.

Client Integrations

There are integrations available for the recommended GraphQL clients that simplify the authentication process with automatic token refresh. See the documentation for details:

Authentication Modules

Authentication modules provide the functionality to authenticate a user on the Slicknode servers. They add mutations to your schema that return the access and refresh tokens that are needed for the authentication process.

Available Modules:

  • Email / Password: Authenticate a user with email address and password
  • More coming soon..

Custom Authentication Module

(coming soon)