All requests to YesGraph’s API require authentication. There are two authentication patterns that YesGraph supports. If you want to connect from your backend server (a trusted environment), you can use the one for Secure Environments. If you want to connect from your frontend or a mobile app, use the one for Insecure Environments.

Secure Environments

This pattern is intended for when you connect to YesGraph from a trusted environment, like your server’s backend. If you want to access the YesGraph API from a client that cannot be trusted (e.g. a Javascript client running in a web browser, or an iOS or Android app running on a mobile device), use the Insecure Environments pattern instead.

Each of your YesGraph projects has a unique Secret API Key. You can find it from the API integration tab on your YesGraph dashboard.

Warning: Keep It Secret!

The Secret Key gives you access to all of your YesGraph data, so don’t share it publicly, or expose it to insecure clients like mobile apps or client-side Javascript. Obfuscating or hiding it is not enough.

Note that with this pattern, your clients only talk to your backend and have no direct access to YesGraph’s API.

Insecure Environments (iOS, Android & Client-Side Javascript)

This pattern is intended for connecting from an untrusted client. If you connect to YesGraph from a trusted environment (e.g. your server’s backend), we recommend the simpler Secure Environments pattern described above.

Use this flow for insecure clients that need to interact with YesGraph directly, without your backend acting as a middle-man. Two examples that fall in this category: a JavaScript frontend running in the browser, or a mobile app, running on iOS or Android.

In this flow the client is untrusted, so never give the client your Secret Key, which provides read & write access to all of your data.

Instead, generate a Client Key on your server using your user’s unique id and your Secret Key. The Client Key enables a specific user limited access to relevant data. For example, that user would be able to retrieve their own contacts, but no other users’ contacts. Read about how to create Client Keys.