Authorization 🔐

The general flow of authorization with the Yoli API is described here. In this section we will describe how to handle the Yoli APIs authorization in iOS projects.


When you create a new user or login with an existing user on the Yoli API, you get a so called refresh token. This token can be stored in a secure place on your device, e.g. in the user's keychain. You don't have to store the credentials of the user since the refresh token is all you need to request against the Yoli API.

With this refresh token you then request a so called access token. This token is used to make requests that require autorization, e.g. requesting the list of connected bank accounts. The access token is only valid for a couple of minutes, so you have to keep sure to handle the case when the access token gets invalid.

To be sure that this gets handled correctly we have implemented the authorizedRequest function in Client.swift which is described below.

Authorized Requests

The Client.swift offers two types of request functions. Calling request will just fire the request, without setting an autorization header. E.g. the request for searching banks doesn't require authorization. On the other hand authorizedRequest handles all authorization stuff for you and calls request itself with the correct authorization header.

Since the authorizedRequest function is pretty big, we describe it here as kind of pseudo code so you can understand, what happens. You can check the full implementation of authorizedRequest on our example project.

func authorizedRequest(success: Success, failure: Failure) {
    // Check whether the user is logged in (and has therefore a refresh token).
    guard User.isLoggedIn else { failure(); return }

    // Check whether the user already has fetched an access token in this session.
    if User.hasAccessToken {
        // Fire request with the already available access token
        request(withHeader User.accessToken, success: success, failure: { error
            if error == .tokenInvalid {
                // The available token is expired, request a new one
                // and fire then the request again.
                getAccessToken {
                    request(withHeader: User.accessToken, success: success, failure: failure)
            } else {
                // Another failure occurred.
    } else {
        // There is no access token, request one and fire then the request.
        getAccessToken {
            request(withHeader: User.accessToken, success: success, failure: failure)

What's next?

In the authorization description we explain the authorization with token handling in detail.

On the next page we offer an example iOS Xcode project where we have integrated some example requests.