Skip to main content

FetchMiddlewares.injectIdentityAuth()

Home > @backstage/core-app-api > FetchMiddlewares > injectIdentityAuth

Injects a Backstage token header when the user is signed in.

Signature:

static injectIdentityAuth(options: {
identityApi: IdentityApi;
config?: Config;
urlPrefixAllowlist?: string[];
allowUrl?: (url: string) => boolean;
header?: {
name: string;
value: (backstageToken: string) => string;
};
}): FetchMiddleware;

Parameters

Parameter

Type

Description

options

{ identityApi: IdentityApi; config?: Config; urlPrefixAllowlist?: string[]; allowUrl?: (url: string) => boolean; header?: { name: string; value: (backstageToken: string) => string; }; }

**Returns:**

FetchMiddleware

Remarks

Per default, an Authorization: Bearer <token> is generated. This can be customized using the header option.

The header injection only happens on allowlisted URLs. Per default, if the config option is passed in, the backend.baseUrl is allowlisted, unless the urlPrefixAllowlist or allowUrl options are passed in, in which case they take precedence. If you pass in neither config nor an allowlist/callback, the middleware will have no effect since effectively no request will match the (nonexistent) rules.