Authenticate GraphQL Requests¶

MongoDB Logo
ServerDriversCloudToolsGuides
Get MongoDB
Close ×
MongoDB Stitch

Introduction
Tutorials
Users & Authentication
MongoDB Atlas
GraphQL
    GraphQL API Overview
    Expose Data in a Collection
    Authenticate GraphQL Requests
    Connect from a Client Application
    Execute a GraphQL Operation
    Define a Custom Query or Mutation
    GraphQL Types, Resolvers, and Operators
MongoDB Mobile
Functions
Triggers
External Services
Values & Secrets
Application Deployment
Hosting
Troubleshooting
Stitch Administration
Application Logs
Client SDKs
Release Notes

Stitch > GraphQL 

Authenticate GraphQL Requests¶

On this page

Overview
Get a Client API Access Token
Refresh a Client API Access Token

Overview

Stitch enforces collection rules for all GraphQL operations. This means that all GraphQL requests must be made by a logged in user of your Stitch application.

The GraphQL API uses Stitch client access tokens to authorize requests. This guide demonstrates how to get a valid access token for a user and how to refresh the access token after it expires.

Example

The following request demonstrates how to include an access token for a user with each request. Replace with the access_token value that you want to use.

curl --location --request POST ‘https://stitch.mongodb.com/api/client/v2.0/app//graphql’
–header 'Authorization: Bearer ’
–header ‘Content-Type: application/json’
–data-raw ‘{“query”:“query AllMovies {\n movies {\n title\n year\n }\n}”}’

Get a Client API Access Token

To get an access token, you need to authenticate with the Stitch Client HTTP API using the user’s login credentials. The Client API authentication endpoints accept valid user credentials in the body of a POST request and use the following URL form:

https://stitch.mongodb.com/api/client/v2.0/app//auth/providers//login

Example

The following request authenticates a Stitch user with the client API. The request body specifies the user’s login credentials.

Anonymous Email/Password API Key Authentication Custom 

curl --location --request POST ‘https://stitch.mongodb.com/api/client/v2.0/app/myapp-abcde/auth/providers/anon-user/login’

The authentication request is successful, so the response body includes access_token and refresh_token values for the user. Each of these values is a JSON web token string that identifies the authenticated user and authorizes requests on their behalf.

{
“access_token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1Nzg5NjY1MTYsImlhdCI6MTU3ODk2NDcxNiwiaXNzIjoiNWUxZDE2ZWM4YWM5M2QzMGFjNDg0ZTk0Iiwic3RpdGNoX2RldklkIjoiMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwIiwic3RpdGNoX2RvbWFpbklkIjoiNWRkODFiYmU3NTFhYzk2ZDM3NmI1Mjg1Iiwic3ViIjoiNWUxM2E0MWUxYjM4ZDM1ODQzMGVkMWYzIiwidHlwIjoiYWNjZXNzIn0.WnWJM01meRDZRVIPr7tXqHcXSgrz0refMrpx7bMVgeQ”,
“refresh_token”: “eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE1ODQxNDg3MTYsImlhdCI6MTU3ODk2NDcxNiwic3RpdGNoX2RhdGEiOm51bGwsInN0aXRjaF9kZXZJZCI6IjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCIsInN0aXRjaF9kb21haW5JZCI6IjVkZDgxYmJlNzUxYWM5NmQzNzZiNTI4NSIsInN0aXRjaF9pZCI6IjVlMWQxNmVjOGFjOTNkMzBhYzQ4NGU5NCIsInN0aXRjaF9pZGVudCI6eyJpZCI6IjVlMTNhNDFlMWIzOGQzNTg0MzBlZDFmMiIsInByb3ZpZGVyX3R5cGUiOiJsb2NhbC11c2VycGFzcyIsInByb3ZpZGVyX2lkIjoiNWUxM2E0MDUxYjM4ZDM1ODQzMGVkMWI3In0sInN1YiI6IjVlMTNhNDFlMWIzOGQzNTg0MzBlZDFmMyIsInR5cCI6InJlZnJlc2gifQ.fqr19MaUykKqi8C8csJUUzNe9jQOucPbtcc0soWgc5k”
}

Refresh a Client API Access Token

Access tokens expire 30 minutes after Stitch grants them. When an access token expires, you can either request another access token using the user’s credentials or use the refresh token to request a new access token with including the user’s credentials.

The Client API session refresh endpoint accepts a POST request that includes the refresh token in the Authorization header and uses the following URL:

https://stitch.mongodb.com/api/client/v2.0/auth/session

Example

The following request demonstrates how to use a refresh token to get a new, valid access token. Replace with the refresh_token value for the access token that you want to refresh.

curl --location --request POST ‘https://stitch.mongodb.com/api/client/v2.0/auth/session’
–header ‘Content-Type: application/json’
–header 'Authorization: Bearer ’

← Expose Data in a Collection Connect from a Client Application →

© MongoDB, Inc 2008-present. MongoDB, Mongo, and the leaf logo are registered trademarks of MongoDB, Inc.
Was this page helpful?
Yes
No