Skip to content

Authorization 🔐

User creation

Before authorization even becomes relevant, you need to create a user. This is done via the createMe mutation, which returns the initial refresh token you need. You will also need to provide a brand to the mutation. This brand uniquely identifies your product to enable/disable certain features (such as email verification).

mutation {
  createMe(brand: String)
}
{
  "data": {
    "createMe": "<refresh token>"
  }
}

You should set the users' email next, so he can login again if he gets logged out for some reason, or wants to use a different device.

You can read more about that here.

Authorization

Tokens

Yoli uses refresh and access tokens to authorize users. Access tokens are only valid for a short period of time (i.e. 15min) and need to be replaced by any client using the api. Refresh tokens are valid indefinitely (except when manually invalidated) and are used to issue new Access tokens.

Login and obtaining a refresh token

To log in on a new device, use the login query, that will give you a refresh token you can use to get access to the user.

login(email: "<email>", brand: "rainbowMakers", password: "rainbow123"): String

Make sure to pass the current brand, or the user the email is connected to might not be able to be found.

Access Tokens

New access tokens can be generated with the getAccessToken query. A desired expiration in milliseconds can also be provided.

{
  getAccessToken(refreshToken: "<refresh token>", expiresIn: 1337)
}
{
  "data": {
    "getAccessToken": "<access token>"
  }
}

Using Access Tokens

In order to properly authenticate against the api, you need to set a valid access token as the authorization header. You will receive an error (a 401 http status code) if you token is invalid/expired. This tells you to request a new access token. (make sure not to set the authorization header when getting an access token)

Token Revokation

You can invalidate all refresh tokens issued up this point by calling the invalidateRefreshToken mutations. (Using this you can, for example, provide an option in your app to log the out user from all of their devices)