Quiltt Session Tokens API
REST Auth endpoints to issue, verify, and revoke short-lived JWT session tokens scoped to a single Profile. Session tokens authenticate the Connector and end-user calls to the GraphQL Data API.
REST Auth endpoints to issue, verify, and revoke short-lived JWT session tokens scoped to a single Profile. Session tokens authenticate the Connector and end-user calls to the GraphQL Data API.
openapi: 3.0.3
info:
title: Quiltt Admin & Auth REST API
description: >-
Quiltt is a hybrid API platform. This REST specification covers the
administrative and authentication surfaces used to manage Profiles,
Connections, Session Tokens, and Webhooks. End-user financial data
(accounts, balances, transactions, holdings, statements) is read through
the separate GraphQL Data API at https://api.quiltt.io/v1/graphql.
Admin endpoints are authenticated with your Quiltt API Secret Key
(Bearer). Session Token endpoints live on the auth host.
termsOfService: https://www.quiltt.io/legal/terms
contact:
name: Quiltt Support
url: https://www.quiltt.dev
email: support@quiltt.io
version: '1.0'
servers:
- url: https://api.quiltt.io/v1
description: Admin API (Profiles, Connections, Webhooks)
- url: https://auth.quiltt.io/v1
description: Auth API (Session Tokens)
security:
- apiSecretKey: []
tags:
- name: Profiles
description: Manage end-user Profiles.
- name: Connections
description: Manage a Profile's aggregator Connections.
- name: Session Tokens
description: Issue, verify, and revoke Profile-scoped session tokens.
- name: Webhooks
description: Manage webhook subscriptions for real-time events.
paths:
/profiles:
get:
operationId: listProfiles
tags:
- Profiles
summary: List Profiles
description: Retrieve a paginated list of Profiles in the environment.
parameters:
- name: page
in: query
schema:
type: integer
minimum: 1
- name: per_page
in: query
schema:
type: integer
minimum: 1
maximum: 100
responses:
'200':
description: A list of Profiles.
content:
application/json:
schema:
type: object
properties:
profiles:
type: array
items:
$ref: '#/components/schemas/Profile'
post:
operationId: createProfile
tags:
- Profiles
summary: Create Profile
description: Create a new Profile.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ProfileInput'
responses:
'201':
description: The created Profile.
content:
application/json:
schema:
$ref: '#/components/schemas/Profile'
/profiles/{profileId}:
parameters:
- name: profileId
in: path
required: true
description: The Profile ID (e.g. p_17KTMuJseY4Cx2LcbgKA7wU) or your UUID.
schema:
type: string
get:
operationId: getProfile
tags:
- Profiles
summary: Get Profile
responses:
'200':
description: The requested Profile.
content:
application/json:
schema:
$ref: '#/components/schemas/Profile'
'404':
description: Profile not found.
patch:
operationId: updateProfile
tags:
- Profiles
summary: Update Profile
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/ProfileInput'
responses:
'200':
description: The updated Profile.
content:
application/json:
schema:
$ref: '#/components/schemas/Profile'
delete:
operationId: deleteProfile
tags:
- Profiles
summary: Delete Profile
description: Permanently delete a Profile and its associated data.
responses:
'204':
description: Profile deleted.
/profiles/{profileId}/connections:
parameters:
- name: profileId
in: path
required: true
schema:
type: string
get:
operationId: listConnections
tags:
- Connections
summary: List Connections
description: List the Connections belonging to a Profile.
responses:
'200':
description: A list of Connections.
content:
application/json:
schema:
type: object
properties:
connections:
type: array
items:
$ref: '#/components/schemas/Connection'
/profiles/{profileId}/connections/{connectionId}:
parameters:
- name: profileId
in: path
required: true
schema:
type: string
- name: connectionId
in: path
required: true
description: The Connection ID.
schema:
type: string
get:
operationId: getConnection
tags:
- Connections
summary: Get Connection
responses:
'200':
description: The requested Connection.
content:
application/json:
schema:
$ref: '#/components/schemas/Connection'
'404':
description: Connection not found.
delete:
operationId: deleteConnection
tags:
- Connections
summary: Delete Connection
description: >-
Disconnect and remove a Connection, stopping Quiltt from syncing data
from the underlying aggregator source.
responses:
'204':
description: Connection deleted.
/webhooks:
get:
operationId: listWebhooks
tags:
- Webhooks
summary: List Webhook Subscriptions
responses:
'200':
description: A list of webhook subscriptions.
content:
application/json:
schema:
type: object
properties:
webhooks:
type: array
items:
$ref: '#/components/schemas/Webhook'
post:
operationId: createWebhook
tags:
- Webhooks
summary: Create Webhook Subscription
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/WebhookInput'
responses:
'201':
description: The created webhook subscription.
content:
application/json:
schema:
$ref: '#/components/schemas/Webhook'
/webhooks/{webhookId}:
parameters:
- name: webhookId
in: path
required: true
schema:
type: string
get:
operationId: getWebhook
tags:
- Webhooks
summary: Get Webhook Subscription
responses:
'200':
description: The requested webhook subscription.
content:
application/json:
schema:
$ref: '#/components/schemas/Webhook'
delete:
operationId: deleteWebhook
tags:
- Webhooks
summary: Delete Webhook Subscription
responses:
'204':
description: Webhook subscription deleted.
/users/sessions:
post:
operationId: issueSessionToken
tags:
- Session Tokens
summary: Issue Session Token
description: >-
Issue a Profile-scoped JWT session token. Authenticated with your API
Secret Key. Served from https://auth.quiltt.io/v1. Rate limited to
10 per hour and 20 per day per Profile.
servers:
- url: https://auth.quiltt.io/v1
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/SessionTokenInput'
responses:
'201':
description: The issued session token.
content:
application/json:
schema:
$ref: '#/components/schemas/SessionToken'
'429':
description: Session token rate limit exceeded for this Profile.
/users/session:
get:
operationId: verifySessionToken
tags:
- Session Tokens
summary: Verify Session Token
description: >-
Verify a session token. Pass the session token itself as the Bearer
credential. Served from https://auth.quiltt.io/v1.
servers:
- url: https://auth.quiltt.io/v1
security:
- sessionToken: []
responses:
'200':
description: The token is valid; returns its claims.
content:
application/json:
schema:
$ref: '#/components/schemas/SessionToken'
'401':
description: The token is invalid, revoked, or expired.
/users/sessions/revoke:
post:
operationId: revokeSessionToken
tags:
- Session Tokens
summary: Revoke Session Token
description: >-
Revoke a session token. Pass the token to revoke as the Bearer
credential. Served from https://auth.quiltt.io/v1.
servers:
- url: https://auth.quiltt.io/v1
security:
- sessionToken: []
responses:
'200':
description: The token was revoked.
components:
securitySchemes:
apiSecretKey:
type: http
scheme: bearer
description: Your Quiltt API Secret Key used for Admin and token-issuance calls.
sessionToken:
type: http
scheme: bearer
description: A Profile-scoped JWT session token.
schemas:
Profile:
type: object
properties:
id:
type: string
example: p_17KTMuJseY4Cx2LcbgKA7wU
uuid:
type: string
description: Your own external identifier for the Profile.
name:
type: string
email:
type: string
format: email
phone:
type: string
birthday:
type: string
format: date
address:
type: object
additionalProperties: true
metadata:
type: object
additionalProperties: true
description: Arbitrary key-value data you store on the Profile.
connectionIds:
type: array
items:
type: string
createdAt:
type: string
format: date-time
updatedAt:
type: string
format: date-time
ProfileInput:
type: object
properties:
uuid:
type: string
name:
type: string
email:
type: string
format: email
phone:
type: string
birthday:
type: string
format: date
address:
type: object
additionalProperties: true
metadata:
type: object
additionalProperties: true
Connection:
type: object
properties:
id:
type: string
provider:
type: string
enum:
- PLAID
- MX
- FINICITY
- MASTERCARD
description: The underlying aggregator source.
status:
type: string
enum:
- INITIALIZING
- SYNCING
- SYNCED
- DISCONNECTED
- ERROR_REPAIRABLE
- ERROR_SERVICE
- ERROR_INSTITUTION
description: Sync status of the Connection.
institution:
type: object
properties:
name:
type: string
logo:
type: string
externallyManaged:
type: boolean
metadata:
type: object
additionalProperties: true
createdAt:
type: string
format: date-time
updatedAt:
type: string
format: date-time
SessionTokenInput:
type: object
properties:
userId:
type: string
description: An existing Profile ID to scope the token to.
uuid:
type: string
description: Your external identifier; creates a Profile if none exists.
email:
type: string
format: email
metadata:
type: object
additionalProperties: true
SessionToken:
type: object
properties:
token:
type: string
description: The JWT session token.
userId:
type: string
environmentId:
type: string
expiration:
type: integer
description: Unix timestamp when the token expires.
expiresAt:
type: string
format: date-time
Webhook:
type: object
properties:
id:
type: string
url:
type: string
format: uri
events:
type: array
items:
type: string
example:
- profile.created
- connection.synced.successful
- account.verified
enabled:
type: boolean
createdAt:
type: string
format: date-time
WebhookInput:
type: object
required:
- url
- events
properties:
url:
type: string
format: uri
events:
type: array
items:
type: string
enum:
- profile.created
- connection.synced.successful
- connection.synced.successful.initial
- connection.synced.successful.historical
- connection.synced.errored.repairable
- account.verified