Privileged Authentication
Some operations require more privileged authentication — for example, if any user could invoke the transfer mutation, they would be able to transfer as many NFTs as they wanted to themselves, so we probably only want the application to be able to initiate that operation!
For operations that should only be initiated from the app or app admin's context, we support two forms of privileged authentication.
Backend Authentication
Backend authentication amounts to your application authenticating as itself, instead of in the AppUser context.
Backend authentication allows the App to perform any privileged operation against your application's resources.
For this reason, it's extremely important to only use this kind of authentication in your backend.
There are two ways of doing backend authentication - using your client secret or using OAuth.
Client Secret: Add your client secret header into the API Call (backend only).
Open ID and OAuth: Authenticate using the OAuth Client Credentials grant. Many OAuth libraries support this.
The following snippets show you both options:
Admin Authentication
In some situations, you may want members of your development team to log into your application and perform privileged operations. Most of these operations can be handled in the Admin Portal, but you can also authenticate your team members as AdminUsers instead.
This works exactly like User Authentication, but adding the admin
scope to your OAuth configuration.
Last updated
Was this helpful?