Authorization 🔐

Brand Authorization

To use all features activated for your brand and create users for your brand, you need to send a unique Brand Authorization Header with all your HTTP requests. The respective token will be handed to you in advance.

{
    "yoli-brand-authorization": "<YOUR_TOKEN>"
}

User creation

A user is created via the createMe mutation which returns the initial refresh token you need. You will also need to provide a brand to the mutation. This brand uniquely identifies your product to enable/disable certain features (such as email verification). The name of your brand will be handed to you in advance with your brand authorization token.

mutation {
  createMe(brand: String)
}
{
  "data": {
    "createMe": "<REFRESH_TOKEN>"
  }
}

Depending on wether you want to use the functionality to log out a user, you can either save this refresh token or you need to set an email and password for the user. The latter will be needed, if you invalidate the refresh token to log out the user.

You can read more about setting email and password here.

Authorization

Tokens

Yoli uses refresh and access tokens to authorize users. Access tokens are only valid for a short period of time (i.e. 15min) and need to be replaced by any client using the api. Refresh tokens are valid indefinitely (except when manually invalidated) and are used to issue new Access tokens.

Login and obtaining a refresh token

If you have set an email address and password, you can use the login query to obtain a new refresh token when necessary.

login(email: "<email>", brand: "rainbowMakers", password: "rainbow123"): String

Make sure to pass the current brand of the user.

Access Tokens

New access tokens can be generated with the getAccessToken query. A desired expiration in seconds can also be provided. Nevertheless, it is recommended to use the default value of 15 minutes for security reasons.

{
  getAccessToken(refreshToken: "<REFRESH_TOKEN>", expiresIn: 600)
}
{
  "data": {
    "getAccessToken": "<ACCESS_TOKEN>"
  }
}

Using Access Tokens

Once you have your access token, you need to send the token as an authorization header. You will receive an error (a 401 http status code) if you token is invalid/expired. This tells you to request a new access token. (make sure not to set the authorization header when requesting an access token).

{
    "authorization": "<ACCESS_TOKEN>"
}

Token Revokation

You can invalidate all refresh tokens issued up this point by calling the invalidateRefreshToken mutations. (Using this you can, for example, provide an option in your app to log the out user from all of their devices). Before you use this option, make sure you have set an email and password for your user.