Skip to main content
The cloud supports two authentication methods: web sessions for human users and API tokens for service-to-cloud communication.

Web sessions

Web users authenticate using Supabase Auth with magic link OTP:
  1. User enters their email on the login page
  2. Supabase sends a magic link to their email
  3. Clicking the link creates a session
  4. The session is managed via Supabase cookies
The middleware at middleware.ts guards all authenticated routes and redirects unauthenticated users to /login.

API tokens (PAK)

The service authenticates with the cloud using Personal API Keys (PAK). These are long-lived tokens created through the settings UI.

Token format

obk_<64 hex characters>

How they work

  • Tokens are hashed with SHA-256 before storage — the raw token is shown only once at creation
  • Each request includes the token in the Authorization header and the team ID in X-Team-Id
  • The cloud verifies the hash, resolves the team, and updates last_used_at

Using tokens

curl https://your-cloud.vercel.app/api/tasks \
  -H "Authorization: Bearer obk_your-token" \
  -H "X-Team-Id: your-team-uuid"

Managing tokens

Go to Settings in the cloud web UI to:
  • Create new tokens with descriptive names
  • View last-used timestamps
  • Revoke tokens