This documents how to use authentication in your API requests when you are working on a web application that lives on AMO domain or subdomain. If you are looking for how to authenticate with the API from an external client, using your API keys, read the documentation for external authentication
<v4-api-auth> instead.
When using this authentication mechanism, the server creates a session and stores the session id in the sessionid` cookie when the user logs in. The client must then include that session id in anAuthorizationheader on requests that need authentication. The clients never generate tokens or sessions themselves. Creating a session ================== A session, valid for 30 days, is automatically generated when a log in via Firefox Accounts has completed, and the user is redirected back to the following endpoint: */api/auth/authenticate-callback/The session id is then available in a cookie calledsessionid. This cookie expires after 30 days and is set asHttpOnly. Creating an Authorization header ================================ When making an authenticated API request, put the session id from the cookie into an HTTP Authorization header prefixed withSession``, like this:
Authorization: Session 1234567890