API FAQ

This section provides answers to frequently asked questions about the Immutable zkEVM API.

If you have any questions that are not answered here, please try asking our AI assistant by clicking the speech bubble in the bottom right corner.

Authentication

---

How does the authentication flow work?

When users log in through Immutable Passport, they receive an access token that is valid for 24 hours. This token is sent from the client (frontend) to your backend.

---

How can the backend access user information?

Your backend can include the access token in the Authorization header when making API calls to Passport services. This allows you to authenticate requests and retrieve user information, including linked addresses.

---

Can a backend retrieve user information such as linked addresses by just using the Immutable ID?

No, the backend cannot retrieve user linked addresses solely using the Immutable ID that is stored in the sub claim of the JWT token. Instead, you must use the user's access token.

---

What are the security and privacy considerations?

Using the access token ensures that only authenticated users can access their information. The token validates the request, and only the information that the user has authorized will be accessible.

---

Is there anything else to consider?

Ensure that you handle the access token securely and follow best practices for data protection. The 24-hour validity of the token helps maintain security while providing a good user experience.