Skip to main content

Session Token

FlowLayer uses a Bearer token to protect session access.

The server validates this token for both /health and /ws.

Where the token is configured

On the server, set session.token in the FlowLayer server config.

{
  "session": {
    "bind": "127.0.0.1:6999",
    "token": "dev-token-session-security"
  }
}

For the official TUI, pass the token with -token:

flowlayer-client-tui -addr 127.0.0.1:6999 -token dev-token-session-security

Authentication outcomes

FlowLayer enforces Bearer auth on session endpoints:

token missing: 401 Unauthorized
token invalid: 403 Forbidden

This behavior applies to both health checks and WebSocket session access.

Operational recommendations

Use non-trivial, environment-specific tokens.
Never commit real tokens to version control.
Prefer environment variables or local ignored files for token injection where appropriate.
Rotate tokens after accidental sharing.

Product boundaries

The session token is a practical access gate, not a complete identity or permissions system.

FlowLayer does not provide full user management, role-based authorization, or multi-tenant permission isolation.

Where the token is configured
Authentication outcomes
Operational recommendations
Product boundaries