Skip to main content
All GraphQL requests to the Pylon API require authentication using OAuth Bearer tokens.

Authentication header

Include your access token in the Authorization header: 
Authorization: Bearer YOUR_ACCESS_TOKEN

Making authenticated requests

Using fetch

const response = await fetch("https://pylon.mortgage/graphql", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
    Authorization: `Bearer ${accessToken}`,
  },
  body: JSON.stringify({
    query: `
      query GetDeals {
        deals {
          id
          status
        }
      }
    `,
  }),
});

Using GraphQL client

Most GraphQL clients support setting default headers: 
import { GraphQLClient } from "graphql-request";

const client = new GraphQLClient("https://pylon.mortgage/graphql", {
  headers: {
    Authorization: `Bearer ${accessToken}`,
  },
});

const data = await client.request(`
  query GetDeals {
    deals {
      id
      status
    }
  }
`);

Getting access tokens

Access tokens are obtained through OAuth 2.0. See the Authentication guide for details on:
  • Obtaining client credentials
  • Exchanging credentials for tokens
  • Refreshing expired tokens

Token expiration

Access tokens expire after a set period. Handle token expiration: 
async function makeGraphQLRequest(query, variables) {
  let token = getAccessToken();

  let response = await fetch("/graphql", {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Authorization: `Bearer ${token}`,
    },
    body: JSON.stringify({ query, variables }),
  });

  // If unauthorized, refresh token and retry
  if (response.status === 401) {
    token = await refreshAccessToken();
    response = await fetch("/graphql", {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
        Authorization: `Bearer ${token}`,
      },
      body: JSON.stringify({ query, variables }),
    });
  }

  return response.json();
}

Error responses

Unauthenticated requests return: 
{
  "errors": [
    {
      "message": "Unauthorized",
      "extensions": {
        "code": "UNAUTHENTICATED"
      }
    }
  ]
}

Best practices

  1. Store tokens securely - Never expose tokens in client-side code
  2. Refresh before expiration - Refresh tokens proactively
  3. Handle errors gracefully - Redirect to login on authentication errors
  4. Use HTTPS - Always use HTTPS in production
  5. Rotate tokens - Regularly rotate access tokens for security