Authenticated API Requests
How to perform an authenticated request
You can set up your API Endpoints to require user authentication in order to access them:
An Authenticated API request requires an access token to grant access in order to perform the API request. First, a token must be retrieved and then passed into the header of the API endpoint requiring authentication.
Xano uses JWE authentication tokens, which is a standard. You can read more on the Authentication page.
Xano creates three Authentication endpoints out-of-the-box. Two of them retrieve an authentication token: signup and login. And one requires an authentication token: GET the user record belonging to me. (Note: you can learn more about how to change, enable, and disable authentication settings here).
Per standard, JWE tokens are passed in the header of an API call using this format:
Authorization: Bearer xxx.yyy.zzz
Where xxx.yyy.zzz is the JWE token.
While testing in Run & Debug Xano enables you to just add the token to the header and automatically sets up Authorization: Bearer for you to be able to test quicker. For live endpoints, be sure to properly set up the header and token.
The token should be dynamic and unique for each user per authentication.
There are some front-end tools that might be limited in not being able to set up headers for an API call. Due to this, we created a get parameter to be able to pass the authorization token as a parameter in the URL. This is a rare use case and should only be used if you are unable to use the header method. The get parameter is as follows:
On an API endpoint endpoint URL, for example:
The /auth/signup and /auth/login endpoints retrieve a token. Once the token is retrieved, it can be used in the header of the /auth/me endpoint to run the API endpoint and get the user record belonging to the authentication token.
For this example, we are going to sign up a new user and retrieve an authentication token. Then, we are going to pass that authentication token into the header of the /auth/me endpoint, which requires authentication.
First, sign up a new user by entering the required input fields.
In the /auth/signup API endpoint, input the required fields to sign up a new user.
Then, hit run to run the API endpoint. The response will return the Authentication token.
Next, copy the authToken. Then paste it into the header of the /auth/me API endpoint, which requires the Authentication token.
If the Authentication token is accepted, then the API endpoint will run. In this case, it will return the record that is unique to the user with this Authentication token. Think of it like logging or signing into an app and looking at your user profile/settings/information.
In this example, the authToken was accepted and the API endpoint ran successfully returning the user record associated with the authToken.
We made it fast and easy to grab an authentication in token without having to first run the auth/login or auth/signup API endpoints.
When opening Run&Debug in Xano on an authenticated request, there is a blue icon on the left side of the header. Click the header to reveal to quickly grab a user in your database or search through them. Select one and an authentication will automatically be generated.
Once the authentication is generated, the endpoint can be executed. Additionally, a copy icon will show up on the right side of the auth token. Click this to easily copy the entire token.