Authentication
Pylo supports two authentication methods: OAuth2 for user-facing applications and API tokens for server-to-server integrations.
Authentication Methods
| Method | Best For | Token Lifetime |
|---|---|---|
| User Login (OAuth2) | Web applications, user sessions | 1 hour (auto-refresh) |
| API Tokens | Server integrations, scripts, CI/CD | Long-lived |
Choosing the Right Method
Use User Login when you're building a web application with user sessions, users need to log in with credentials, or you need user-specific permissions. The Auth SDK handles login, logout, and token refresh automatically.
Use API Tokens when you're building server-to-server integrations, running automated scripts, or need long-lived credentials without user login.
Making Authenticated Requests
With OAuth2 (Bearer token):
1
2
3
4
curl -X POST https://api.pyloapp.com/graphql \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_TOKEN" \
-d '{"query": "{ me { id email } }"}'With API Token:
1
2
3
4
curl -X POST https://api.pyloapp.com/graphql \
-H "Content-Type: application/json" \
-H "pylo-api-key: YOUR_API_KEY" \
-d '{"query": "{ customerList { data { id name } } }"}'OAuth2 Flow
- User submits email and password
- Pylo validates credentials and returns tokens
- Auth token (1 hour) is used for API requests
- Refresh token (7 days) is used to get new auth tokens
Login Mutation
1
2
3
4
5
6
7
8
mutation Login($input: AuthRequest!) {
login(input: $input) {
data {
auth_token
refresh_token
}
}
}Token Refresh
1
2
3
4
5
6
7
8
mutation RefreshToken($input: AuthRefreshRequest!) {
refreshToken(input: $input) {
data {
auth_token
refresh_token
}
}
}Token Lifetime
| Token | Lifetime | Purpose |
|---|---|---|
| Auth Token | 1 hour | Used in Authorization header |
| Refresh Token | 7 days | Used to get new auth tokens |
Automatic Refresh
When using the Auth SDK, token refresh is handled automatically by the middleware. You don't need to manage tokens manually.
Public Endpoints
Create an API token with restrictive permissions and send it alongside your request to create public-facing endpoints without user authentication.