Authenticated API Requests

How to perform an authenticated request

You can set up your API Endpoints to require user authentication in order to access them:


How to Set up User Sign up and Log in using your API

How an Authenticated request works

An Authenticated API request requires an access token to grant access in order to perform the API request. First, a token must be retrieved and then passed into the header of the API endpoint requiring authentication.

Xano uses JWE authentication tokens, which is a standard. You can read more on the Authentication page.

Xano creates three Authentication endpoints out-of-the-box. Two of them retrieve an authentication token: signup and login. And one requires an authentication token: GET the user record belonging to me. (Note: you can learn more about how to change, enable, and disable authentication settings here).

Authentication Header

Per standard, JWE tokens are passed in the header of an API call using this format:

Authorization: Bearer xxx.yyy.zzz

Where xxx.yyy.zzz is the JWE token.

While testing in Run & Debug Xano enables you to just add the token to the header and automatically sets up Authorization: Bearer for you to be able to test quicker. For live endpoints, be sure to properly set up the header and token.

The token should be dynamic and unique for each user per authentication.

Alternative Parameter Method

There are some front-end tools that might be limited in not being able to set up headers for an API call. Due to this, we created a get parameter to be able to pass the authorization token as a parameter in the URL. This is a rare use case and should only be used if you are unable to use the header method. The get parameter is as follows: ?authtoken=xxx.yyy.zzz

On an API endpoint endpoint URL, for example:

Example of Authenticated Request

For this example, we are going to sign up a new user and retrieve an authentication token. Then, we are going to pass that authentication token into the header of the /auth/me endpoint, which requires authentication.

First, sign up a new user by entering the required input fields.

Then, hit run to run the API endpoint. The response will return the Authentication token.

Next, copy the authToken. Then paste it into the header of the /auth/me API endpoint, which requires the Authentication token.

If the Authentication token is accepted, then the API endpoint will run. In this case, it will return the record that is unique to the user with this Authentication token. Think of it like logging or signing into an app and looking at your user profile/settings/information.

Easy Auth Token Retrieval in Xano

We made it fast and easy to grab an authentication in token without having to first run the auth/login or auth/signup API endpoints.

When opening Run&Debug in Xano on an authenticated request, there is a blue icon on the left side of the header. Click the header to reveal to quickly grab a user in your database or search through them. Select one and an authentication will automatically be generated.

Once the authentication is generated, the endpoint can be executed. Additionally, a copy icon will show up on the right side of the auth token. Click this to easily copy the entire token.

Last updated