Authentication

Authentication lets your users verify their identity. This enables you to control what data they should be allowed to access.

Typically, an authentication flow looks something like this:

Client log in with credentials
Server returns secure access token
Client requests data from server (Sends along access token)
Server returns data to client
There are tons of variations of this flow depending on the specific type of system and authentication method. Common for all of them is that the client will receive an access_token that it can use when requesting data from the server.

You want to authenticate users to provide customized access to specific data on your server. The only secure way to do this is to handle authentication on the server.

This is also why toddle does not have an integrated authentication system. Instead, we opted for a secure approach and built an API connector where you can connect with authentication systems.

Keep your access token secure

You might wonder why the client needs an access token. Why not just send the user credentials with every request? The reason is security. Whenever you send any information over the Internet or store it in the client, you increase the chance that a malicious third party will compromise it. Using an access token with a set expiration limits the potential harm an attacker can do if they successfully intercept a request.

The client must store your access token securely between requests because your access token is strictly confidential. In toddle, we use a secure HTTP-only cookie. This is the most secure option since any client-side JavaScript code will not read the token.

Install the toddle browser plugin

For authentication to work correctly when working in the toddle editor, it is necessary to install a browser plugin. This plugin allows the toddle editor to use cookies when it runs your application. (Not necessary for users of your application. It's only needed when you build in the editor.)

Install Chrome plugin

Install Firefox plugin

How to work with access tokens in toddle

There are two ways for a toddle application to store an access token in a secure cookie.

You can use the Set Session Cookies action to set an HTTP-only cookie directly from your toddle app. This is ideal for users who sign in with an email or username and password. This login type has the server return an access token directly from the login API.

The set session cookie action lets you set an access token and optional id token from your toddle app. It's now easier than ever to work with APIs in toddle.

You can also save an access token with a redirect to /.toddle?access_token=<Your access token>. This is useful for redirect workflows where logins happen on a different domain. Services like Supabase, Auth0, and Firebase use this authentication strategy.

If you wish to redirect to a specific page in your toddle app after the token is stored, you can set the query parameter redirect_to=<URL>

Now that you have an access token stored in a secure cookie, you can use it to authenticate API requests.

Most modern APIs use "token bearer authentication." This means that the API will require each data request to include an "Authentication" header that starts with the word "Bearer" followed by the access token needed to verify the request.

Add an authorization header in toddle

You need to add a new header to use access_tokens in your authenticated API requests.

  • Go to the "Headers" section of your API request
  • Add a new header
  • Select "Authorization"
You need to add a new header to use access_tokens in your authenticated API requests. 
Go to the "Headers" section of your API request to get started.

This will create an Authorization header where a formula retrieves the value.

The formula's output should be “Bearer access_token,” so we use the “Concatenate” function, where the first argument is “Bearer “ and the second argument is the value of the access token that we are getting using the “Get Http-Only Cookie” formula.

You can continually update the formula depending on your backend's requirements. You can embed an HTTP cookie in headers, query, or path parameters.

You can continually update the formula depending on your backend's requirements. You can embed an HTTP cookie in headers, query parameters, or path parameters.

Each request to the API will now be sent via toddle's Edge network, where the access token will be read from the secure cookie and inserted as an Authentication header.

For this type of authentication to work it is important that the request is "proxied" through toddle's Edge network. Read more about proxying on the next page.

Stop scrolling. Start building.

toddle is a visual web app builder that rivals custom code — but accessible to your entire team!

Try toddle — it's free!

© Copyright 2024 toddle. All rights reserved.