Authentication

OwlFlow uses a dual-layered authentication model.

1. Partner Authentication (API Key)

All requests to the production and staging environments require a valid API key provided via the x-api-key header. This is enforced by the Google API Gateway.

http

x-api-key: YOUR_PARTNER_API_KEY

2. User Authentication (JWT)

For user-specific operations (viewing profile, applying to scholarships), you must provide a Bearer token obtained from the login or googleAuth mutations.

Obtaining a Token

graphql

mutation Login($input: LoginInput!) {
  auth {
    login(input: $input) {
      token
      expiresAt
    }
  }
}

Using the Token

Include the token in the Authorization header of your requests:

http

Authorization: Bearer <your_token_here>

Authentication ​

1. Partner Authentication (API Key) ​

2. User Authentication (JWT) ​

Obtaining a Token ​

Using the Token ​

Authentication

1. Partner Authentication (API Key)

2. User Authentication (JWT)

Obtaining a Token

Using the Token