How to authenticate
Sending the access token
Send the access token on every HTTP request to the API:
Authorization: Bearer <your access token>Which organization's data you can see follows your signed-in account and permissions.
Using the login mutation
login mutationYou can sign in with email and password by calling the login mutation. It returns TokenInfo:
| Field | Meaning |
|---|---|
token | Short-lived access token — use this value as the bearer token above |
refreshToken | Use with the refreshToken mutation when you need a new access token |
expiresIn | Access token lifetime in seconds |
Example — sign in and read the access token:
mutation Login {
login(email: "[email protected]", password: "your-password") {
token
refreshToken
expiresIn
}
}Use the returned token as <your access token> in the Authorization header for subsequent queries and mutations (for example request, requests, createCompensations).
Always call the API over HTTPS so credentials and tokens are protected in transit.
Refreshing the access token
When the access token expires, call the refreshToken mutation. Pass refreshToken with the value you received from login (or from a previous refreshToken response). If your integration uses cookies and the server supports it, you may omit the argument where the refresh token is read from the session.
mutation Refresh {
refreshToken(refreshToken: "<paste refresh token here>") {
token
refreshToken
expiresIn
}
}Use the new token in the Authorization header going forward.
Updated 30 days ago