Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.pylon.mortgage/llms.txt

Use this file to discover all available pages before exploring further.

All GraphQL requests to the Pylon API require authentication using OAuth Bearer tokens.

Authentication header

Include your access token in the Authorization header: 
Authorization: Bearer YOUR_ACCESS_TOKEN

Making authenticated requests

Using fetch

const response = await fetch("https://pylon.mortgage/graphql", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    Authorization: `Bearer ${accessToken}`,
  },
  body: JSON.stringify({
    query: `
      query GetDeals {
        deals {
          id
          status
        }
      }
    `,
  }),
});

Using GraphQL client

Most GraphQL clients support setting default headers: 
import { GraphQLClient } from "graphql-request";

const client = new GraphQLClient("https://pylon.mortgage/graphql", {
  headers: {
    Authorization: `Bearer ${accessToken}`,
  },
});

const data = await client.request(`
  query GetDeals {
    deals {
      id
      status
    }
  }
`);

Getting access tokens

Access tokens are obtained through OAuth 2.0. See the Authentication guide for details on:
  • Obtaining client credentials
  • Exchanging credentials for tokens
  • Refreshing expired tokens

Token expiration

Access tokens expire after a set period. Handle token expiration: 
async function makeGraphQLRequest(query, variables) {
  let token = getAccessToken();

  let response = await fetch("/graphql", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: `Bearer ${token}`,
    },
    body: JSON.stringify({ query, variables }),
  });

  // If unauthorized, refresh token and retry
  if (response.status === 401) {
    token = await refreshAccessToken();
    response = await fetch("/graphql", {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
        Authorization: `Bearer ${token}`,
      },
      body: JSON.stringify({ query, variables }),
    });
  }

  return response.json();
}

Error responses

Unauthenticated requests return: 
{
  "errors": [
    {
      "message": "Unauthorized",
      "extensions": {
        "code": "UNAUTHENTICATED"
      }
    }
  ]
}

Best practices

  1. Store tokens securely - Never expose tokens in client-side code
  2. Refresh before expiration - Refresh tokens proactively
  3. Handle errors gracefully - Redirect to login on authentication errors
  4. Use HTTPS - Always use HTTPS in production
  5. Rotate tokens - Regularly rotate access tokens for security