Skip to main content

Overview

PriceSignal uses Firebase Authentication with JWT (JSON Web Tokens) to secure API access. All GraphQL queries, mutations, and subscriptions require a valid Firebase JWT token.

Authentication Flow

  1. Authenticate with Firebase on the client side
  2. Obtain a Firebase JWT token
  3. Include the token in your GraphQL requests
  4. Token is validated against Firebase’s public keys

Firebase Configuration

The API is configured to validate tokens from the Firebase project:
Authority
string
https://securetoken.google.com/nxtspec
Issuer
string
https://securetoken.google.com/nxtspec
Audience
string
nxtspec
The API validates token issuer, audience, and lifetime automatically.

Sending Authenticated Requests

You can authenticate requests in two ways: Include the JWT token in the Authorization header using the Bearer scheme: 
curl -X POST https://api.pricesignal.com/graphql \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_FIREBASE_JWT_TOKEN" \
  -d '{"query": "{ prices(interval: ONE_MIN) { nodes { symbol close } } }"}'
For browser-based applications, you can use the /api/login endpoint to set an HTTP-only cookie: 
const firebaseToken = await firebase.auth().currentUser?.getIdToken();

await fetch('https://api.pricesignal.com/api/login', {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${firebaseToken}`
  },
  credentials: 'include' // Important for cookies
});

// Subsequent GraphQL requests will automatically include the cookie
const response = await fetch('https://api.pricesignal.com/graphql', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  },
  credentials: 'include',
  body: JSON.stringify({ query: '...' })
});
HTTP-only cookies provide additional security by preventing JavaScript access to tokens. The cookie is set with Secure and SameSite=Strict flags.

Token Validation

When a request is received, the API performs the following validations:
Issuer Validation
boolean
Verifies the token was issued by https://securetoken.google.com/nxtspec
Audience Validation
boolean
Confirms the token audience matches nxtspec
Lifetime Validation
boolean
Checks that the token has not expired
Signature Validation
boolean
Validates the token signature using Firebase’s public keys

User Context

After successful authentication, the user’s identity is available in GraphQL resolvers: 
public async Task<PriceRule> CreatePriceRule(
  PriceRuleInput input,
  [Service] IUser user)
{
  var userId = user.UserIdentifier; // Firebase UID
  var email = user.Email; // User email from token
  // ...
}
This allows the API to:
  • Scope queries to the authenticated user
  • Enforce user-level permissions
  • Track rule ownership and access control

Error Responses

If authentication fails, you’ll receive an appropriate HTTP status code:
401 Unauthorized
error
No token provided or token is invalid
403 Forbidden
error
Token is valid but user lacks permission for the requested resource

WebSocket Authentication

For WebSocket subscriptions, include the token in the connection parameters: 
import { createClient } from 'graphql-ws';

const client = createClient({
  url: 'wss://api.pricesignal.com/graphql',
  connectionParams: async () => {
    const token = await firebase.auth().currentUser?.getIdToken();
    return {
      Authorization: `Bearer ${token}`
    };
  }
});
See the WebSocket Subscriptions guide for more details.

Security Best Practices

Never expose Firebase tokens in client-side code or version control. Tokens should be obtained dynamically from Firebase Authentication.
  • Use HTTPS for all API requests in production
  • Refresh tokens before they expire (Firebase tokens are valid for 1 hour)
  • Store tokens securely (use HTTP-only cookies or secure storage)
  • Implement proper logout to invalidate sessions
  • Monitor for suspicious authentication patterns

Getting Your Firebase Credentials

  1. Create a Firebase project at console.firebase.google.com
  2. Enable Authentication with your preferred sign-in methods
  3. Add your app to the Firebase project
  4. Use the Firebase SDK to authenticate users and obtain tokens
import { initializeApp } from 'firebase/app';
import { getAuth, signInWithEmailAndPassword } from 'firebase/auth';

const app = initializeApp({
  apiKey: "your-api-key",
  authDomain: "nxtspec.firebaseapp.com",
  projectId: "nxtspec"
});

const auth = getAuth(app);
const userCredential = await signInWithEmailAndPassword(auth, email, password);
const token = await userCredential.user.getIdToken();

Build docs developers (and LLMs) love

Get started for freeTalk to us