Skip to content
flowlayer

Session Token

FlowLayer uses a Bearer token to protect session access.

The server validates this token for both /health and /ws.

Where the Token Is Configured

Section titled “Where the Token Is Configured”

On the server, set session.token in the FlowLayer server config.

{
  "session": {
    "bind": "127.0.0.1:6999",
    "token": "dev-token-session-security"
  }
}

For the official TUI, pass the token with -token:

Terminal window
flowlayer-client-tui -addr 127.0.0.1:6999 -token dev-token-session-security

Authentication Outcomes

Section titled “Authentication Outcomes”

FlowLayer enforces Bearer auth on session endpoints:

  • token missing: 401 Unauthorized
  • token invalid: 403 Forbidden

This behavior applies to both health checks and WebSocket session access.

Operational Recommendations

Section titled “Operational Recommendations”
  • Use non-trivial, environment-specific tokens.
  • Never commit real tokens to version control.
  • Prefer environment variables or local ignored files for token injection where appropriate.
  • Rotate tokens after accidental sharing.

Product Boundaries

Section titled “Product Boundaries”

The session token is a practical access gate, not a complete identity or permissions system.

FlowLayer does not provide full user management, role-based authorization, or multi-tenant permission isolation.