Authentication
The External API uses JWT bearer tokens. You exchange a clientId and secret for a JWT, then send the JWT on every subsequent request.
Get a JWT
Run the mutation below — fill in your clientId and secret in the variables, click Run, then Save as JWT to store the token for use by other interactive examples in these docs.
mutation authenticate($input: AuthenticateInput!) {
authenticate(input: $input) {
authenticationPayload {
jwt
}
}
}
Use the JWT
Send the token as a Bearer credential on every request:
POST /graphql
Authorization: Bearer eyJhbGciOi...
Content-Type: application/json
{ "query": "{ ... }" }
The runnable examples elsewhere in these docs read the saved JWT from your browser's localStorage automatically.
What's on the token
Once you authenticate, the JWT carries:
sub/clientId— the API key's client ID.organizationId— the board (organization) this key is provisioned for. Every query is filtered to this ID automatically — you never pass it as an argument.scope— one or more<feature>:reador<feature>:writeclaims, controlling which queries and mutations you can call. The features areorganization,members, andevents.
Errors
Invalid credentials— theclientIddoesn't exist, or thesecretdoesn't match.API key has been revoked— the key has been deactivated. Contact Unioo to issue a new one.
Tokens are time-limited; obtain a new one when it expires by calling authenticate again.