Authentication

Authentication Scheme

Wing uses the authentication scheme included in RFC 6759: The OAuth 2.0 Authorization Framework: Bearer Token Usage, which uses two types of tokens:

• access_token - Valid for 1 hour
• refresh_token - Valid for 7 days

The access token is used for all API requests, while the refresh token can be used to obtain a new access token without re-entering credentials.

Getting Your Token

To access the Wing GraphQL API v3, you first need to obtain an authentication token by calling the createAccessToken mutation with your email and password.

The response includes:

• accessToken - The Bearer token to use in all subsequent API requests (valid for 1 hour)
• expiresAt - The token expiration timestamp (regenerate before expiry)
• refreshToken - Token to refresh access without re-authenticating (valid for 7 days)

Using Your Token

All API requests require the token to be passed in the Authorization header using Bearer authentication:

Authorization: Bearer <your-access-token>

The API endpoint is: https://api-developer.wing.eu/v3

View examples on the right showing how to authenticate requests in different programming languages.

Authentication Examples

Examples showing how to generate tokens and authenticate API requests in different programming languages.

mutation {
  createAccessToken(input: {
    email: "your_email"
    password: "your_password"
  }) {
    accessToken
    expiresAt
  }
}

Error Handling & Best Practices

Common Authentication Errors

Error	Cause	Solution
Unauthorized	Invalid or missing token	Verify your token is correct and not expired
Invalid token format	Missing Bearer prefix	Use Authorization: Bearer <token> format
Token expired	Token has expired	Generate a new token using createAccessToken
Wrong endpoint	Using incorrect URL	Ensure you're using https://api-developer.wing.eu/v3

Security Best Practices

• Never commit tokens to version control systems
• Store tokens in environment variables:

  export WING_API_TOKEN="your_access_token"

• Rotate tokens regularly for security
• Use different tokens for different environments (development, staging, production)
• Regenerate tokens before expiry to avoid service interruptions