Auth Model
Two auth paths exist today
Section titled “Two auth paths exist today”The current API middleware in apps/api/src/auth.ts supports two request types:
1. Web client auth
Section titled “1. Web client auth”The web client sends:
Authorization: Bearer <supabase-jwt>
The API validates the JWT with Supabase, resolves the user, and loads the cached tier.
2. Trusted service auth
Section titled “2. Trusted service auth”Internal adapters such as Telegram use:
X-Service-SecretX-Service-NameX-User-Id
This is not a public client shortcut. It is the internal adapter path for trusted channel services.
Why this matters
Section titled “Why this matters”ClawOS does not mix channel transport identity with platform identity.
Different request shapes can enter the system, but they still resolve to the same user and the same platform entitlement state.