Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JonathanHerSa/xolo-api-hub/llms.txt

Use this file to discover all available pages before exploring further.

Xolo supports five authentication types and a smart inheritance system that lets you define credentials once on a collection or folder and automatically apply them to every request inside it. Each request’s Auth tab lets you choose an explicit type, opt into inheritance, or explicitly disable auth — giving you fine-grained control without repetitive configuration.

Supported Auth Types

API Key auth injects a custom key-value pair into either the request Header or a Query parameter, depending on where the target API expects it.The ApiKeyAuthForm widget exposes three fields:
FieldDescription
keyThe header name or query parameter name (e.g. X-API-Key)
valueThe secret key value
inDestination: header or query
When in is set to header, Xolo adds a custom request header with the given name and value before the request is dispatched. When set to query, the key-value pair is appended to the request URL as a query parameter.
// Data shape stored for API Key auth
{
  "key": "X-API-Key",
  "value": "sk-abc123",
  "in": "header"   // or "query"
}

Auth Inheritance

Xolo’s AuthResolverService.resolveAuth() implements a depth-first upward walk through the collection hierarchy to determine the effective auth for any request.
Future<ResolvedAuth> resolveAuth({
  String? requestAuthType,
  String? requestAuthData,
  int? collectionId,
}) async { ... }
The resolution algorithm follows these steps in order:
  1. Direct auth — if requestAuthType is not null, not 'inherit', and not 'none', the request’s own auth is used and source is set to 'request'.
  2. Explicit none — if requestAuthType == 'none', resolution stops immediately and returns source: 'none' with no credentials.
  3. Inheritance walk — if requestAuthType == 'inherit' (or is null), resolveAuth calls _repo.getCollectionPath(collectionId) which returns the full ancestor chain ordered [Root, …, DirectParent]. The list is reversed so the closest ancestor is checked first.
  4. For each ancestor collection, if its authType is a non-empty, non-'inherit', non-'none' value, that auth is resolved and returned. The source field distinguishes whether the winning ancestor is a folder (parentId != null) or the root project (parentId == null).
  5. If an ancestor has authType == 'none', inheritance stops and source: 'none' is returned, preventing further upward lookup.
  6. If no ancestor yields auth, source: 'none' is returned.
The source field on ResolvedAuth tells you exactly where the active credentials came from:
sourceMeaning
'request'Auth is defined directly on the request
'folder'Auth is inherited from an intermediate folder
'project'Auth is inherited from the root project collection
'none'No auth is active

Resolved Auth Preview

The Auth tab in the request composer includes an AuthResolvedPreview widget that shows you the final resolved auth in real time — before you send the request. It calls AuthResolverService.resolveAuth() asynchronously and displays:
  • The resolved auth type (e.g. BEARER, BASIC, API_KEY)
  • The source — whether credentials come from the request itself, an inherited folder, or the root project
  • A clear message when no auth is active
This prevents surprises: you can confirm at a glance which credentials will be injected into the next request, even when inheritance is involved.

Secure Storage

Xolo never stores authentication credentials in plaintext SQLite. All auth secrets are written through AuthSecretService, which delegates to SecurityService — a thin wrapper around flutter_secure_storage. When you save auth data, AuthSecretService.storeAuthData():
  1. Writes the serialised JSON to flutter_secure_storage under a namespaced key prefixed with auth_secret:.
  2. Returns an opaque reference string (prefixed secure_auth_ref:) that is stored in the database in place of the real credentials.
At resolution time, AuthSecretService.resolveAuthData() detects the reference prefix and fetches the actual secret from secure storage — keeping credentials out of the SQLite database entirely.
// Writing credentials
final ref = await authSecretService.storeAuthData(jsonEncode({
  "token": "eyJhbGc..."
}));
// ref == "secure_auth_ref:1718000000000-abc123def456"

// Reading credentials (called internally by AuthResolverService)
final raw = await authSecretService.resolveAuthData(ref);
// raw == '{"token":"eyJhbGc..."}'
flutter_secure_storage uses the Android Keystore on Android and the iOS Keychain on iOS, so credentials are protected by the device’s hardware security module where available.

OAuth 2.0

Configure Authorization Code + PKCE, Client Credentials, and Password grant flows.

Biometric Security

Lock the app with Face ID or fingerprint and protect stored credentials.

Build docs developers (and LLMs) love