Authentication

TigerGraph’s RESTful APIs communicate with either the REST++ server on port 9000 or the GSQL server on port 14240. Each server uses different methods of authentication.

As of 3.10.0, the use of plaintext tokens in authentication is deprecated. Use OIDC JWT Authentication instead.

REST++ Server Requests

TigerGraph REST++ endpoints are public by default: anyone with access to the HTTP ports of the TigerGraph server can run your endpoints. When REST++ authentication is enabled, then a valid authorization token must be included in the header.

The REST++ server implements OAuth 2.0-style authorization as follows:

  1. Each user can create one or more secrets (unique pseudorandom strings). Each secret is associated with a particular user and the user’s privileges for a particular graph.

  2. Anyone who has this secret can invoke a special REST endpoint to generate authorization tokens (other pseudorandom strings).

  3. An authorization token can then be used to perform TigerGraph database operations via other REST endpoints. Each token will expire after a certain period of time. The TigerGraph default lifetime for a token is 1 month.

Using Tokens

Once REST++ authentication is enabled, a valid token should always be included in the HTTP header. If you are using curl to format and submit your REST++ requests, then use the following syntax:

curl GSQL request, with authorization token in header
curl -X GET -H "Authorization: Bearer <token>" '<request_URL>'

Here is a sample request:

curl -X GET -H "Authorization: Bearer 01234567abcdefgh01234567abcdefgh" "http://localhost:9000/graph/socialNet/vertices/User?limit=3"

3rd party JWT token

Since 3.10.0, TigerGraph now supports the use of 3rd party JWT token. See OIDC JWT Authentication for more details.

GSQL Server Requests

All requests made to the GSQL Server must be accompanied by your user credentials. You can use the curl -u option to pass in the username and password of the TigerGraph user:

curl -X GET -u <username>:<password> "http://localhost:14240/<path_to_endpoint>

To keep your credentials more secure, one way to avoid having the user name and password on the command line is to instead use a .netrc file or a config file. If you are in interactive mode, you can also use the -u option without specifying the password, and then curl will prompt for the password.