Human42
(Joseph Alexander Philip Zaldarriaga Lacson)
1
Seamless Authentication seems to be handled automatically with the SDK, but the SDK is for JS only. If I was developing an app in some other language that doesn’t have the SDK, can I still make use of seamless integration? Do I just have to check the value of the “short-lived API key”? How would I know what value it’s supposed to have?
EDIT: A possible answer to my question just occurred to me, but I want to ask if this is correct:
Typically, to allow our app to make GraphQL API calls to Monday, we go to Settings>App and then copy the account API key and then present that key when we make an API call. With seamless authentication, do we present the “short-lived token” instead of the API key when making a GraphQL API call to Monday? This token acts as a replacement to the API key that we would copy from the Settings?
I understand that you are talking about an app with an integration feature. Correct?
Every request from the Monday server to your app will be accompanied with a JWT token in the Authorization header. The token will be signed by your app’s Signing Secret . The JWT token can be decoded to get additional metadata about the request.
The JWT token will contain a short-lived API key that that can be used to authenticate against the monday API. The token will be valid for 1 minute and have the same permission scopes as your app.
Is this the information you were looking for?
Cheers,
Matias
Human42
(Joseph Alexander Philip Zaldarriaga Lacson)
3
Is this the information you were looking for?
Not exactly. What you’re saying here is the same as what I have already read in the documentation.
The statement that I want more information about is this:
The JWT token will contain a short-lived API key that that can be used to authenticate against the monday API
I don’t understand how to use the API key to authenticate against the Monday API.
I understand how I can authenticate that the request comes from my app in Monday.com by using the Signing Secret to verify that the JWT token is genuine and untampered, but I do not know what the use-case is of the short-lived API key.
I suspect the short-lived key takes the place of the Personal API token that we would otherwise have to copy from Settings>Admin>API, but I would like to hear confirmation from Monday: