DocumentationAPI Reference
Documentation

Authentication

Client vs. Server Authentication

Server Authentication

Every Prequel account has access to associated API keys. These API keys can be used to replicate any behavior you see in the Prequel Admin UI.

Client Authentication

If you decide to embed your Prequel powered features in your app for your users to self-serve, you may use your API keys to generate Scoped Auth Tokens for use in your clients.

Overview of Authentication Keys/Tokens

📘

Understanding Our Terminology: First Party vs. Third Party

  • First Party refers to Prequel users (the First Party).
  • Third Partyrefers to Prequel users' (the First Party's) customers.
Type of Prequel Authentication TokenIntended UsageScope
API keysServerScoped to a specific First Party Staging or Production Environment (including all Third Party resources)
Scoped Auth Token: POSTClientScoped to a specific Third Party & destination. Grants the ability to POST resources with only those destination details. Grants the ability to PATCH resources with only those destination details, except for host and bucket name which are prohibited to PATCH for security reasons.
Scoped Auth Token: GETClientScoped to a specific Third Party. Grants the ability to GET all related Third Party resources and details.

Generating Scoped Auth Tokens

The generation of a Scoped Auth Token (required for all Prequel React SDK Hooks) must happen on the server.

This short-lived Scoped Auth Token is used to authenticate client-side requests made to Prequel. This scoped token allows you to make requests directly from your web application to Prequel, without having to proxy them through the backend.

To generate this auth token, your backend should make an API request to Prequel's Generate Scoped Auth Token endpoint. It's important that the backend specify certain fields in the destination passed to this request: specifically, the user's id_in_provider_system. This is how Prequel knows that this token can only be used to submit and retrieve data for a given tenant.

Once you've implemented the backend functionality to generate the token, you will need to define a fetchToken function in your frontend that hits the relevant backend endpoint, and that can be passed to Prequel hooks.