Authentication
The Revelation 14 API uses JWT (JSON Web Tokens) for authentication. All API requests must include a valid access token in the Authorization header.
Authentication Flow
Getting an Access Token
Login Endpoint
POST /auth/login
Authenticate a user and receive an access token
https://rzqklwfhwqmviintncqh.supabase.co/functions/v1/auth/login
Headers:
Content-Type: application/jsonapikey: your_supabase_anon_key
Request Body:
Response:
{
"success": true,
"statusCode": 200,
"message": "Welcome back",
"data": {
"payload": {
"id": "f9cc094c-ba9c-4a0a-82b9-e40d589e97db",
"name": "John Doe",
"email": "[email protected]",
"role": "STANDARD_USER",
"status": "ACTIVE",
"isVerified": true,
"createdAt": "2025-08-15T13:53:15.974Z"
},
"accessToken": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
}
}
Using Access Tokens
Include the access token in the Authorization header for all authenticated requests:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
JWT Token Structure
The JWT token contains the following payload:
{
"id": "user_unique_id",
"role": "STANDARD_USER",
"iat": 1760426328,
"exp": 1760433528
}
id: Unique user identifierrole: User role (STANDARD_USER, ADMIN, etc.)iat: Issued at timestampexp: Expiration timestamp
Token Expiration
- Default Expiration: 2 hours
- Refresh: Tokens must be refreshed by re-authenticating
- Validation: Tokens are validated on each request
Tokens expire after 2 hours. Your application should handle token expiration gracefully and prompt users to re-authenticate when needed.
User Roles
| Role | Description | Permissions |
|---|
STANDARD_USER | Regular user | Create/read/update/delete own notes |
ADMIN | Administrator | Full access to all resources |
Security Best Practices
Secure Storage
Store tokens securely on the client (encrypted storage, keychain)
HTTPS Only
Always use HTTPS for API communications
Token Validation
Validate token expiration before making requests
Logout Handling
Clear tokens on logout or app uninstall
Error Responses
401 Unauthorized
{
"error": "Authorization header required",
"success": false
}
401 Invalid Token
{
"error": "Invalid token format",
"success": false
}
400 Invalid Credentials
{
"statusCode": 400,
"message": "Invalid credentials"
}
Code Examples
import 'package:flutter_secure_storage/flutter_secure_storage.dart';
class AuthService {
static const _storage = FlutterSecureStorage();
static const _tokenKey = 'access_token';
// Store token securely
static Future<void> storeToken(String token) async {
await _storage.write(key: _tokenKey, value: token);
}
// Retrieve token
static Future<String?> getToken() async {
return await _storage.read(key: _tokenKey);
}
// Clear token on logout
static Future<void> clearToken() async {
await _storage.delete(key: _tokenKey);
}
}