Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/JonathanHerSa/xolo-api-hub/llms.txt

Use this file to discover all available pages before exploring further.

Xolo’s cloud sync gives you a resilient, private copy of your workspace that follows you across devices. Backups are encrypted on-device before they ever leave your phone and are stored in Google Drive AppData — a private app-specific folder that is invisible to the regular Drive UI and inaccessible to other apps. Your data never passes through Xolo’s servers; it lives entirely in your own Google account.

How It Works

The sync pipeline is composed of three cooperating services:
SyncService.exportFullBackup() fetches all root collections from the local Drift database and builds a SyncBackup object containing:
  • Every workspace (SyncCollection) with its full folder hierarchy and saved requests
  • All environments and their variables scoped to each workspace
  • Global environments (those without a collectionId)
The resulting object is serialised to an indented JSON string and written to a temporary file.
EncryptionService.encryptBytes() encrypts the raw JSON bytes using AES-256-CBC. The key is derived from a user-supplied password via PBKDF2-HMAC-SHA256 with 120,000 rounds and a 16-byte random salt. A random 16-byte IV is generated for each encryption operation. An HMAC-SHA256 message authentication code is appended to the payload so that tampering is detected during decryption. The format is:
[16-byte salt][16-byte IV][AES-CBC ciphertext][32-byte HMAC]
The encrypt package provides the AES primitive; keys and salts are never written to the backup file or to the network — only the ciphertext and MAC are stored.
CloudSyncService.syncUpload() orchestrates the full pipeline: it calls SyncService to export the JSON, passes the bytes through EncryptionService, writes the encrypted bytes to a temporary file named xolo-mobile-backup.xolo.enc, and uploads it to the Drive AppData folder via CloudService. After a successful upload, cloud_last_synced_at is persisted to app settings so the Sync screen can display a “Last synced” timestamp.

File Naming and Metadata

The backup file uploaded to Drive is always named:
xolo-mobile-backup.xolo.enc
The Drive file description field records the ISO 8601 timestamp of the upload:
Xolo mobile backup 2025-06-10T14:32:07.000Z
The unencrypted JSON payload (before encryption) includes a schemaVersion field (currently 8) and an exportedAt ISO 8601 timestamp, which are used during restore to validate compatibility.

Sync Strategy

BehaviourDetail
TriggerManual on-demand — the user taps Sync Now
Background pollingNot implemented. There is no periodic background task
Lifecycle syncThe app can call syncUpload on lifecycle events such as app pause
Conflict resolutionLast-write-wins. downloadLatestBackup() sorts Drive files by createdTime descending and returns the most recent one

Setup Steps

1

Open Settings → Sync

Navigate to SettingsBackups & Sync (SyncScreen). The screen shows a local backup panel and a separate Cloud Sync section below.
2

Sign in with Google

Tap Sign in with Google. CloudService.signIn() triggers the Google Sign-In flow and requests the drive.appdata OAuth scope — the minimum scope needed to read and write files in the AppData folder. No broader Drive access is requested.
3

Create a backup password and sync

Tap Sync Now. Xolo prompts you to create a backup password. This password is used as the PBKDF2 input for key derivation and is not stored anywhere by Xolo — you must remember it to restore the backup. After you confirm the password, CloudSyncService.syncUpload() runs and uploads the encrypted file.
4

Restore on another device

On a second device, install Xolo, open Settings → Backups & Sync, sign in with the same Google account, then tap Sync Now (or use Import Backup if restoring locally). Xolo calls downloadLatestBackup() to fetch the most recent Drive file, prompts for the decryption password, and imports the backup via SyncService.importFullBackup().

Local Backup (No Cloud Required)

SyncService also supports a fully offline backup flow that works without a Google account. The same export-then-encrypt pipeline runs locally:
  1. SyncService.exportFullBackup() writes the JSON to a temp directory
  2. EncryptionService.encryptBytes() encrypts it with a user-provided password
  3. The encrypted .xolo file is shared via the system share sheet using share_plus
The resulting file can be saved to local storage, sent over messaging apps, or transferred via cable — anything the OS share sheet supports. To restore, use Import Backup, pick the .xolo file, and enter the decryption password.

What Is Synced

  • Collections and sub-collections (full folder hierarchy)
  • Saved requests: method, URL, headers, query params, body, assertion rules (assertionsJson)
  • Environments and their variables (both workspace-scoped and global)
  • App settings (exported in the settings array of the backup payload)

EncryptionService Technical Reference

EncryptionService (from the encrypt package, backed by crypto for PBKDF2/HMAC) exposes four public methods:
MethodDescription
encryptBytes(List<int> plainBytes, String password)Encrypts a byte array. Returns [salt][IV][ciphertext][HMAC].
decryptBytes(List<int> cipherBytes, String password)Verifies the HMAC, derives the same key via PBKDF2, and decrypts. Throws on MAC mismatch.
encryptString(String plainText, String password)Convenience wrapper; returns a v2:<base64> string.
decryptString(String combined, String password)Handles v2:<base64> format and a legacy IV:ciphertext format for backwards compatibility.
generateRandomPassword()Generates a cryptographically random 16-character password from alphanumeric + symbol characters.
Keys are derived fresh from the password and salt on every encrypt/decrypt call — no key material is persisted to flutter_secure_storage or any other store by EncryptionService itself.
// How CloudSyncService calls EncryptionService during upload
final encryptedBytes = _encryption.encryptBytes(
  Uint8List.fromList(utf8.encode(exportData)),
  password,
);
await File(encPath).writeAsBytes(encryptedBytes);
The encryption key is derived from your password, which Xolo never stores. If you lose access to the password you used during backup, the .xolo or .enc file cannot be decrypted — not by Xolo, and not by Google. Store your backup password in a password manager before syncing.
Google Drive AppData is a private, app-specific folder. The xolo-mobile-backup.xolo.enc file does not appear in the Drive website file browser at drive.google.com and cannot be read by other apps on the device. Only Xolo, using the same Google account, can list or download the file.

Build docs developers (and LLMs) love