Privileged Authentication
Last updated
Was this helpful?
Last updated
Was this helpful?
Some operations require more privileged authentication — for example, if any user could invoke the mutation, they would be able to transfer as many NFTs as they wanted to themselves, so we probably only want the application to be able to initiate that operation!
For operations that should only be initiated from the app or app admin's context, we support two forms of privileged authentication.
Backend authentication amounts to your application authenticating as itself, instead of in the AppUser context.
Backend authentication allows the App to perform any privileged operation against your application's resources.
For this reason, it's extremely important to only use this kind of authentication in your backend.
There are two ways of doing backend authentication - using your client secret or using OAuth.
Client Secret: Add your client secret header into the API Call (backend only).
Open ID and OAuth: Authenticate using the grant. Many OAuth libraries support this.
The following snippets show you both options:
In some situations, you may want members of your development team to log into your application and perform privileged operations. Most of these operations can be handled in the , but you can also authenticate your team members as AdminUsers instead.
This works exactly like , but adding the admin
scope to your OAuth configuration.