Outerfaced/Docs

Authentication

Outerfaced has two authentication systems: user auth (for the dashboard) and API key auth (for your automations).

API Key Authentication

All V1 API endpoints (/api/v1/...) use Bearer token authentication.

Generating an API Key

  1. Go to Dashboard → Settings
  2. Click Generate API Key
  3. Copy the key — it is shown only once and cannot be retrieved later

API keys have the format:

ofd_<32 hex characters>

Example: ofd_a1b2c3d4e5f6...

Using Your API Key

Include the key as a Bearer token in every request:

Authorization: Bearer ofd_your_key_here

Full example:

curl -X GET "https://your-domain/api/v1/channels?workspace_id=abc123" \
  -H "Authorization: Bearer ofd_your_key_here"

Key Storage

  • The plaintext key is never stored on the server — only a SHA-256 hash
  • Store your key securely (environment variable, secrets manager)
  • If you lose your key, generate a new one; the old one is revoked automatically

Quick Mode vs Secure Mode

Outerfaced supports two security levels for the V1 API:

Quick Mode (default)

In Quick Mode, V1 API requests are accepted without a Bearer token. This is useful for rapid prototyping and testing.

To use Quick Mode, simply omit the Authorization header:

curl -X POST "https://your-domain/api/v1/channels/{workspaceId}/cards" \
  -H "Content-Type: application/json" \
  -d '{ "blocks": [...] }'

Warning: Quick Mode is not recommended for production. Anyone who knows your channel ID can push cards.

Secure Mode

When Secure Mode is enabled, every V1 API request must include a valid Authorization: Bearer header matching the workspace owner's API key.

Enabling Secure Mode:

PATCH /api/user/settings
{ "secure_mode": true }

Or toggle it in Dashboard → Settings → Security Mode.

Secure Mode auth flow:

1. Client sends: Authorization: Bearer ofd_xxx
2. Server extracts token
3. Server hashes token with SHA-256
4. Server looks up workspace owner's api_key_hash
5. If hashes match → request proceeds
6. If no match → 401 Unauthorized

User Authentication (Dashboard)

The dashboard uses Supabase Auth with Google OAuth. This is separate from API key auth and is only needed to access the dashboard UI.

Sign in at /auth/signin.