Appearance
Authentication
OwlFlow uses a dual-layered authentication model.
1. Partner Authentication (API Key)
All requests to the production and staging environments require a valid API key provided via the x-api-key header. This is enforced by the Google API Gateway.
http
x-api-key: YOUR_PARTNER_API_KEY2. User Authentication (JWT)
For user-specific operations (viewing profile, applying to scholarships), you must provide a Bearer token obtained from the login or googleAuth mutations.
Obtaining a Token
graphql
mutation Login($input: LoginInput!) {
auth {
login(input: $input) {
token
expiresAt
}
}
}Using the Token
Include the token in the Authorization header of your requests:
http
Authorization: Bearer <your_token_here>Internal Session and Identity Bootstrap
The client contract is unchanged: applications send the OwlFlow JWT as a Bearer token and never send Laravel cookies.
For each authenticated request, OwlFlow:
- verifies the JWT signature and reads its
subaccount id andjtisession id; - resolves the
jtito the existing Laravel session cookie through token storage, backed by Firestore in deployed environments; - uses the feature-flagged Core MySQL repository to bootstrap the account identity when
owlflow-db-account-bootstrapis enabled; - falls back to Core's account-info endpoint when the database is unavailable.
A missing or soft-deleted database account is an authentication failure and does not fall back to Core. Raw Laravel cookie requests continue to validate through Core. The mapped Laravel session cookie is retained for downstream REST and JSON:API calls, so existing Core authorization and session behavior remain unchanged.
