Authentication (internal)¶
Warning
These v3 APIs are now deprecated and you should switch to a newer version before it is removed. See the API versions available for details of the different API versions available and the deprection timeline.
This documents how to use authentication in your API requests when you are working on a web application that lives on AMO domain or subdomain. If you are looking for how to authenticate with the API from an external client, using your API keys, read the documentation for external authentication instead.
When using this authentication mechanism, the server is responsible for
creating an API Token when the user logs in, and sends it back in
the response. The clients must then include that token as an Authorization
header on requests that need authentication. The clients never generate JWTs
themselves.
Fetching the token¶
A fresh token, valid for 30 days, is automatically generated and added to the responses of the following endpoint:
/api/v3/accounts/authenticate/
The token is available in two forms:
For the endpoint mentioned above, as a property called
token.For all endpoints, as a cookie called
frontend_auth_token. This cookie expires after 30 days and is set asHttpOnly.