Authentication

OwlFlow uses a dual-layered authentication model.

1. Partner Authentication (API Key)

All requests to the production and staging environments require a valid API key provided via the x-api-key header. This is enforced by the Google API Gateway.

http

x-api-key: YOUR_PARTNER_API_KEY

2. User Authentication (JWT)

For user-specific operations (viewing profile, applying to scholarships), you must provide a Bearer token obtained from the login or googleAuth mutations.

Obtaining a Token

graphql

mutation Login($input: LoginInput!) {
  auth {
    login(input: $input) {
      token
      expiresAt
    }
  }
}

Using the Token

Include the token in the Authorization header of your requests:

http

Authorization: Bearer <your_token_here>

Local Development Authentication

When running OwlFlow locally, authentication behavior depends on your .env configuration.

JWT Secret

In local development, you must provide a secret for signing JWTs. You can generate a random one:

bash

openssl rand -base64 32

And set it in .env:

bash

OWLFLOW_JWT_SECRET=<your-generated-secret>

Token Storage

OwlFlow stores active tokens in a backend storage. You can configure this via OWLFLOW_TOKEN_STORAGE:

firestore: (Default) Connects to a Google Cloud Firestore database. This is used in production and staging environments.
memory: Keeps tokens in local memory. This is highly recommended for local development to avoid Firestore configuration overhead.

Note for Staging Developers: If you are connecting OwlFlow locally to the Staging Core, you must use OWLFLOW_TOKEN_STORAGE=memory.

Authentication ​

1. Partner Authentication (API Key) ​

2. User Authentication (JWT) ​

Obtaining a Token ​

Using the Token ​

Local Development Authentication ​

JWT Secret ​

Token Storage ​