Skip to content

API Authentication Using Firebase

This guide describes how external systems authenticate against the Minyu API using Firebase-based access tokens. The process is designed for server-to-server integrations, background jobs, and external applications.

All authentication is handled via Firebase-issued ID tokens, while Minyu is used to bootstrap the initial trust relationship using a one-time setup token.

Overview of the Authentication Flow

  1. A system administrator generates a one-time API setup token in Minyu
  2. The external system exchanges this token with Firebase
  3. Firebase returns:
    • An access token (idToken)
    • A refresh token
  4. The access token is used to authenticate all API requests
  5. The refresh token is used to automatically renew access

Token Types and Lifetime

Token Issued by Used for Lifetime

Custom token Minyu Initial trust Minutes (setup token) bootstrap

Access token Firebase API authentication ~1 hour (idToken)

Refresh token Firebase Renew access token Long-lived

Only the access token is sent with API requests.

Step 1 --- Generate an API Token in Minyu

  1. Open the Users / Integrations view in the Minyu administration interface
  2. Locate the user or integration account
  3. Click Generate API token
  4. The token is copied to your clipboard

After generation, a confirmation dialog is displayed:

Important

  • This token is a one-time setup token
  • It cannot be used directly to call the API
  • It is only used to obtain a Firebase access token

Step 2 --- Exchange the Token for a Firebase Access Token

You need:

  • The token generated in Minyu
  • Your Firebase Web API key (public, not secret)

Request

curl -X POST \
  "https://identitytoolkit.googleapis.com/v1/accounts:signInWithCustomToken?key=AIzaSyD39LFf8hGTVWgnXHAWhVk9MZWN379gxJY" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "PASTE_TOKEN_FROM_MINYU",
    "returnSecureToken": true
  }'

Response

{
  "idToken": "FIREBASE_ACCESS_TOKEN",
  "refreshToken": "FIREBASE_REFRESH_TOKEN",
  "expiresIn": "3600"
}

Store both tokens securely.

Step 3 --- Authenticate API Requests

All requests to the Minyu API must include the Firebase access token as a bearer token.

curl -X POST https://api.minyu.com/graphql   -H "Authorization: Bearer FIREBASE_ACCESS_TOKEN"   -H "Content-Type: application/json"   -d '{ "query": "{ health }" }'

Step 4 --- Refresh the Access Token

curl -X POST   "https://securetoken.googleapis.com/v1/token?key=YOUR_FIREBASE_API_KEY"   -H "Content-Type: application/x-www-form-urlencoded"   -d "grant_type=refresh_token&refresh_token=PASTE_REFRESH_TOKEN"

Security Considerations

  • The access token grants full API access for the assigned tenant
  • Tokens must be stored securely
  • Rotate tokens if exposure is suspected

Summary

  1. Generate API token in Minyu
  2. Exchange it with Firebase
  3. Use the returned access token for all API calls
  4. Refresh the token automatically every hour