Authentication
Client vs. Server Authentication
Server Authentication
Every Prequel account has access to associated API keys. These API keys can be used to replicate any behavior you see in the Prequel Admin UI.
Client Authentication
If you decide to embed your Prequel powered features in your app for your users to self-serve, you may use your API keys to generate Scoped Auth Tokens for use in your clients.
Overview of Authentication Keys/Tokens
Understanding Our Terminology: First Party vs. Third Party
- First Party refers to Prequel users (the First Party).
- Third Partyrefers to Prequel users' (the First Party's) customers.
Type of Prequel Authentication Token | Intended Usage | Scope |
---|---|---|
API keys | Server | Scoped to a specific First Party Staging or Production Environment (including all Third Party resources) |
Scoped Auth Token: POST | Client | Scoped to a specific Third Party & destination. Grants the ability to POST resources with only those destination details. Grants the ability to PATCH resources with only those destination details, except for host and bucket name which are prohibited to PATCH for security reasons. |
Scoped Auth Token: GET | Client | Scoped to a specific Third Party. Grants the ability to GET all related Third Party resources and details. |
Generating Scoped Auth Tokens
The generation of a Scoped Auth Token (required for all Prequel React SDK Hooks) must happen on the server.
This short-lived Scoped Auth Token is used to authenticate client-side requests made to Prequel. This scoped token allows you to make requests directly from your web application to Prequel, without having to proxy them through the backend.
To generate this auth token, your backend should make an API request to Prequel's Generate Scoped Auth Token endpoint. It's important that the backend specify certain fields in the destination passed to this request: specifically, the user's id_in_provider_system
. This is how Prequel knows that this token can only be used to submit and retrieve data for a given tenant.
Once you've implemented the backend functionality to generate the token, you will need to define a fetchToken
function in your frontend that hits the relevant backend endpoint, and that can be passed to Prequel hooks.
Updated 5 months ago