Session Tokens

Introduction

When using allauth headless in non-browser contexts, such as mobile apps, a session token is used to keep track of the authentication state. This session token is handed over by the app by providing the X-Session-Token request header.

If you do not have any requirements that prescribe a specific token strategy, the simplest way forward is to use the X-Session-Token authentication mechanism for your own APIs as well. In order to do so, integration with Django Ninja and Django REST framework is offered out of the box.

Securing Your API Endpoints

Django Ninja

For Django Ninja, the following security class is available:

An example on how to use that security class in your own code is listed below:

from allauth.headless.contrib.ninja.security import x_session_token_auth
from ninja import NinjaAPI

api = NinjaAPI()

@api.get("/your/own/api", auth=[x_session_token_auth])
def your_own_api(request):
    ...

Django REST framework

For Django REST framework, the following authentication class is available:

An example on how to use that authentication class in your own code is listed below:

from allauth.headless.contrib.rest_framework.authentication import (
    XSessionTokenAuthentication,
)
from rest_framework import permissions
from rest_framework.views import APIView

class YourOwnAPIView(APIView):

    authentication_classes = [
        XSessionTokenAuthentication,
    ]
    permission_classes = [permissions.IsAuthenticated]

    def get(self, request):
        ...