User Authentication & User Data
Enable Authentication for a Table
Authentication starts with enabling the function on a table that contains user data. Typically, this would just be your user
table. You can also enable authentication on multiple tables if you want separate authentication methods for different user groups, such as normal users and administrators.
Enable Authentication on an API Request
Once you've enabled authentication on a table, you can use each API endpoint's settings to note whether or not it requires authentication.
When a request is sent to API endpoints that require authentication, an authorization token is sent in the headers of the request, which Xano checks against the table with authentication enabled, before allowing the request to continue.
How does authentication work?
Authentication in Xano is powered by industry-standard JWE (JSON Web Encryption) tokens.
Once a token is generated (after login or signup), your app or website will send that token back to Xano for requests that require authentication.
A token is generated using the Create Authentication Token function, and is typically used in conjunction with a standard login or signup authentication flow.
Adding Pre-built Authentication Endpoints
Building Sign-up and Login APIs
Below, you can review a typical login and signup flow — you are free to modify them to suit your needs. These are the same that Xano can add for you during signup
Login

Signup

Extras
The extras payload is an optional setting that allows you to store additional information securely inside the token, such as a user role or other additional information.
Additional Notes
Alternative Authentication Headers
If you need to provide a secondary authentication header that takes precedence over the original Xano authentication, you can do so by sending the X-Xano-Authorization-Only header along with your requests. This will allow you to move the Xano authentication token to its own header, keeping the original standard Authorization header for something else.
You would want to utilize the X-Xano-Authorization-Only header if you are sending requests to your Xano APIs from another source that uses the Authorization header key for something else on both public and authentication required endpoints that are using the Authorization header for something other than Xano authentication.
Example:
// For a public Xano endpoint that sends an Authorization header
curl "http://localhost:9999/api:elnQNVvy:v1/public_test" \
-H "X-Xano-Authorization-Only: true"
// For a private (authenticated) Xano endpoint that receives an Authorization header
that is not a Xano auth token
curl "http://localhost:9999/api:elnQNVvy:v1/private_test" \
-H "X-Xano-Authorization: Bearer ey...." \
-H "X-Xano-Authorization-Only: true"
Last updated
Was this helpful?