Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tuturuuu.com/llms.txt

Use this file to discover all available pages before exploring further.

Tuturuuu apps should not share production Supabase service-role keys or browser sessions. Apps coordinate through web-owned auth routes:
  • Internal apps can continue using cross-app login tokens generated by apps/web.
  • External apps must be registered in the Infrastructure dashboard before they can exchange a central-login token for API access.
  • App coordination bearer tokens are never minted from a cross-app token alone. The exchange route requires a registered appId plus app secret, and external-project APIs require explicit API scopes.
  • Platform admins issue or rotate external app secrets from Infrastructure -> External Apps. The secret is shown once; Tuturuuu stores only a hash in root workspace secrets.

External app flow

  1. Register the external app ID, allowed origins, and allowed API scopes in the Infrastructure dashboard.
  2. Issue an app secret and store it in the external app runtime environment.
  3. Send users to the centralized web login with a returnUrl pointing back to the registered external app origin.
  4. The external app receives a short-lived cross-app token on its return URL.
  5. The external app server calls POST /api/v1/auth/app-token/exchange with appId, appSecret, token, and optional requestedScopes.
  6. Tuturuuu validates the app secret and cross-app token, then returns a short-lived bearer token for Tuturuuu APIs.
External apps should store only their own app secret and local session material. They should send Tuturuuu API calls with the returned bearer token and should never require production Supabase keys.

Operational notes

The bearer token is signed with TUTURUUU_APP_COORDINATION_SECRET and defaults to an 8-hour lifetime. Use TUTURUUU_APP_COORDINATION_TOKEN_TTL_SECONDS to lower or raise that lifetime, up to 24 hours. When rotating an app secret, deploy the new external app environment first, then rotate from Infrastructure. Existing short-lived bearer tokens keep working until they expire, but future exchanges require the new app secret. Cross-app login tokens are user-bound handoff tokens. The database RPC only mints a token for the authenticated caller’s own auth.uid(); do not use it as a server-side impersonation primitive or as a replacement for app credentials.