Authentication (internal)
This documents how to use authentication in your API requests when you are working on a web application that lives on AMO domain or subdomain. If you are looking for how to authenticate with the API from an external client, using your API keys, read the documentation for external authentication instead.
When using this authentication mechanism, the server creates a session and stores the
session id in the sessionid
cookie when the user logs in.
The client must then include that session id in an Authorization
header on requests
that need authentication.
The clients never generate tokens or sessions themselves.
Creating a session
A session, valid for 30 days, is automatically generated when a log in via Firefox Accounts has completed, and the user is redirected back to the following endpoint:
/api/auth/authenticate-callback/
The session id is then available in a cookie called sessionid
. This cookie expires
after 30 days and is set as HttpOnly
.
FxA Notification Webhook
To integrate with Firefox Account’s webhook the following endpoint is available:
/api/auth/fxa-notification/
Authentication is accomplished by decoding using the known JWT keys available <https://oauth.accounts.firefox.com/v1/jwks>`_ - normal AMO authentication is not used.
This endpoint is not usable for anything other than AMOs internal integration with Firefox Accounts.