Authentication Methods
In the Graphistry 2.0 REST API, authentication is crucial for security and access control. Currently, there are three methods to obtain JWT tokens:
- Username and Password
- Personal API Key
- Single Sign-On (SSO)
1. Password Authentication
Use your account credentials to get a short-lived token (~1 hour). This token is required for performing REST API actions. Tokens are valid for up to 24 hours, requiring daily re-login with full credentials. For more information, see Personal API Key Authentication and Single Sign-On (SSO) Authentication.
2. Personal API Key Authentication
To authenticate using a personal API key:
- Navigate to your profile menu and select "Manage API Keys".
- Generate a Personal Key ID and Secret Key. Note: The Personal Secret Key will not be visible again after leaving this screen.
- Use the Personal Key ID and Secret Key to authenticate by making a POST request with the following format:
curl -X POST -H "Authorization: PersonalKey ${PERSONAL_KEY_ID}:${PERSONAL_KEY_SECRET}" https://${GRAPHISTRY_HOST}/api/v2/auth/pkey/jwt/
This request will return a JWT token that can be used for subsequent API requests.
3. Global Single Sign-On (SSO)
SSO authentication redirects you to the site-wide SSO system for login.
4. Single Sign-On (SSO) with Organization (IDP)
For organizations using IDP (Identity Provider) with SSO, the authentication process involves two steps and two API calls:
- Initiate SSO Authentication: The first step is to initiate the SSO authentication process for your organization. This is done by making a GET request to the SSO login API endpoint. This request will redirect you to the organization's SSO login page.
- Retrieve the JWT Token: After successfully logging in through the SSO system, you will receive a response that includes a 'state' parameter. This 'state' is a unique identifier for your session. You then use this 'state' to make a second API call to retrieve your JWT token.
5. Single-Use Token Gateway (Admin Only)
The Single-Use Token Gateway enables one-time token-based access to Graphistry datasets for external, unauthenticated users. This authentication method is restricted to administrators (staff OR superuser) and provides temporary access without requiring full account creation.
Use Case: Admins can generate secure, single-use URLs for external users to access specific datasets without creating permanent accounts or sharing credentials.
Flow:
- Admin calls
GET /api/v2/generate/single-use-url/?username=any_username&dataset_id=DATASET_ID
with Bearer token - System returns magic login URL:
{"single_use_url": "https://domain/magic-login/?sst=TOKEN"}
- Admin sends magic login URL to external user
- External user clicks the magic login link
- User gains temporary access to the specified dataset only
- Admin can immediately revoke access using
GET /api/v2/logout-user/username/
to force logout and remove all permissions
Security Features:
- One-time use tokens (expire after first use)
- Limited access scope (only target dataset)
- Dual-layer time expiration (see Configuration below)
- Admin-controlled revocation (force logout active users)
Access Control:
Once external users click the magic login link, they gain active sessions until natural expiry. Admins can use the logout endpoint to immediately revoke access for security purposes - useful for ending demos, responding to security concerns, or removing access when collaboration ends.
Configuration
The following settings control the behavior of the Single-Use Token Gateway:
Setting | Type | Default | Description |
---|---|---|---|
SESAME_TOKEN_NAME |
string | sst |
Name of the query parameter used to pass the sesame token (e.g., ?sst=abc123 ) |
SESAME_MAX_AGE |
int | 3600 |
Maximum lifespan of a sesame token in seconds (default: 1 hour) |
SESAME_ONE_TIME |
bool | True |
When set to True , each token is valid only once and expires after first use. Django-sesame enforces this by updating the user's last login date |
COOKIE_SECURE |
bool | True |
Ensures the session cookie is only sent over HTTPS. Required when embedding in <iframe> to preserve auth across domains |
Note: In addition to the configurable sesame token settings above, magic links have a hardcoded 7-day database record expiration. ShareLinkUser records are automatically cleaned up after 7 days from generation, making magic links completely invalid regardless of usage.
Flow Diagram
Admin → Generate URL → Send the URL to User User → /magic-login?sesame=... → Logs in → /graph/graph.html?dataset=... (auto) Admin → /logout-user/<username>/ → revokes session User → Logout
Using REST API for Authentication
Below are examples of REST API calls for each authentication method:
Route | Method | Headers | Parameters | Return |
---|---|---|---|---|
api/v2/auth/pkey/jwt/ |
POST | Authorization: PersonalKey PERSONAL_KEY_ID:PERSONAL_KEY_SECRET | Personal Key ID, Personal Secret Key | {"token": str} |
Input:
Note: Replace "YOUR_ORG_NAME" with the actual name of your organization. This parameter is optional. |
||||
api/v2/g/sso/oidc/login |
GET | N/A | N/A | Redirect to SSO login page |
Input:
|
||||
sso/oidc/login/idp_name/ |
GET | N/A | N/A | Redirect to SSO login page |
Input:
|
||||
/sso/oidc/jwt/{state}/ |
GET | N/A | N/A | N/A |
Input:
|
For further details and language-specific implementations, please refer to our Python client library documentation.