Xolo supports five authentication types and a smart inheritance system that lets you define credentials once on a collection or folder and automatically apply them to every request inside it. Each request’s Auth tab lets you choose an explicit type, opt into inheritance, or explicitly disable auth — giving you fine-grained control without repetitive configuration.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/JonathanHerSa/xolo-api-hub/llms.txt
Use this file to discover all available pages before exploring further.
Supported Auth Types
- API Key
- Bearer Token
- Basic Auth
- OAuth 2.0
- No Auth
- Inherit (Default)
API Key auth injects a custom key-value pair into either the request Header or a Query parameter, depending on where the target API expects it.The
When
ApiKeyAuthForm widget exposes three fields:| Field | Description |
|---|---|
key | The header name or query parameter name (e.g. X-API-Key) |
value | The secret key value |
in | Destination: header or query |
in is set to header, Xolo adds a custom request header with the given name and value before the request is dispatched. When set to query, the key-value pair is appended to the request URL as a query parameter.Auth Inheritance
Xolo’sAuthResolverService.resolveAuth() implements a depth-first upward walk through the collection hierarchy to determine the effective auth for any request.
- Direct auth — if
requestAuthTypeis notnull, not'inherit', and not'none', the request’s own auth is used andsourceis set to'request'. - Explicit none — if
requestAuthType == 'none', resolution stops immediately and returnssource: 'none'with no credentials. - Inheritance walk — if
requestAuthType == 'inherit'(or isnull),resolveAuthcalls_repo.getCollectionPath(collectionId)which returns the full ancestor chain ordered[Root, …, DirectParent]. The list is reversed so the closest ancestor is checked first. - For each ancestor collection, if its
authTypeis a non-empty, non-'inherit', non-'none'value, that auth is resolved and returned. Thesourcefield distinguishes whether the winning ancestor is a folder (parentId != null) or the root project (parentId == null). - If an ancestor has
authType == 'none', inheritance stops andsource: 'none'is returned, preventing further upward lookup. - If no ancestor yields auth,
source: 'none'is returned.
source field on ResolvedAuth tells you exactly where the active credentials came from:
source | Meaning |
|---|---|
'request' | Auth is defined directly on the request |
'folder' | Auth is inherited from an intermediate folder |
'project' | Auth is inherited from the root project collection |
'none' | No auth is active |
Resolved Auth Preview
The Auth tab in the request composer includes anAuthResolvedPreview widget that shows you the final resolved auth in real time — before you send the request. It calls AuthResolverService.resolveAuth() asynchronously and displays:
- The resolved auth type (e.g.
BEARER,BASIC,API_KEY) - The source — whether credentials come from the request itself, an inherited folder, or the root project
- A clear message when no auth is active
Secure Storage
Xolo never stores authentication credentials in plaintext SQLite. All auth secrets are written throughAuthSecretService, which delegates to SecurityService — a thin wrapper around flutter_secure_storage.
When you save auth data, AuthSecretService.storeAuthData():
- Writes the serialised JSON to
flutter_secure_storageunder a namespaced key prefixed withauth_secret:. - Returns an opaque reference string (prefixed
secure_auth_ref:) that is stored in the database in place of the real credentials.
AuthSecretService.resolveAuthData() detects the reference prefix and fetches the actual secret from secure storage — keeping credentials out of the SQLite database entirely.
flutter_secure_storage uses the Android Keystore on Android and the iOS Keychain on iOS, so credentials are protected by the device’s hardware security module where available.
OAuth 2.0
Configure Authorization Code + PKCE, Client Credentials, and Password grant flows.
Biometric Security
Lock the app with Face ID or fingerprint and protect stored credentials.