Authentication (internal)
Warning
These v3 APIs are now deprecated and you should switch to a newer version before it is removed. See the API versions available for details of the different API versions available and the deprecation timeline.
This documents how to use authentication in your API requests when you are working on a web application that lives on AMO domain or subdomain. If you are looking for how to authenticate with the API from an external client, using your API keys, read the documentation for external authentication instead.
When using this authentication mechanism, the server creates a session and stores the
session id in the sessionid` cookie when the user logs in.
The client must then include that session id in an ``Authorization
header on requests
that need authentication.
The clients never generate tokens or sessions themselves.
Creating a session
A session, valid for 30 days, is automatically generated when a log in via Firefox Accounts has completed, and the user is redirected back to the following endpoint:
/api/auth/authenticate-callback/
The session id is then available in a cookie called sessionid
. This cookie expires
after 30 days and is set as HttpOnly
.