Choosing an Authentication Option for your POS Solution

GraphQL requests (Braintree In-Person mutations) can be authenticated in one of two ways.

1st Party API Caller (API Keys) - Basic Authentication

This is the ideal method if you're developing a custom application for a single merchant or offering a solution in which the merchant is fully responsible for the code calling the API and infrastructure surrounding it. In this model, a merchant logs in to the Braintree Control Panel to generate API Keys (public and private keys), copies and securely stores them, and makes API calls with them as a base64-encoded string, as outlined here for GraphQL.

3rd Party Application (OAuth) - Bearer Authentication

This is the ideal method if you're developing a single application or codebase leveraged by multiple merchants. This method removes the need for merchants to copy and paste credentials by replacing them with a web-based permission-granting flow within your application.

You will need to create an OAuth Application, implement the merchant-facing web-based OAuth Flow, and store the AccessToken and RefreshToken on behalf of each of your merchants. Your application will also need to monitor token expiry and refresh them behind the scenes prior to expiry as needed.