Neverline

Appearance

Authentication

Neverline uses Supabase Auth for authentication and authorization.

User Authentication

Staff and administrative users authenticate via Supabase's email/password flow. The dashboard client manages login processes and session state autonomously.

API Authentication

Protected API endpoints require a Supabase JWT token:

Authorization: Bearer <supabase-jwt-token>

Tokens are obtained through the Supabase Auth login flow and are automatically refreshed by the dashboard client.

API Keys

For server-to-server integrations, generate API keys in Settings → Integrations.

API keys are passed via the X-API-Key header:

X-API-Key: your-api-key

API keys are scoped to an organization and have the same permissions as an authenticated user within that organization.

Public Endpoints

The following endpoints are public and do not require authorization headers:

EndpointPurpose
GET /v1/queues/:idGet queue info (for customer join page)
POST /v1/sessions/joinJoin a queue
GET /v1/sessions/:tokenPoll session status
POST /v1/sessions/:token/awaySet away status
POST /v1/sessions/:token/returnReturn from away
POST /v1/sessions/:token/lateMark as running late
GET /v1/announcementsFetch active announcements (with scope params)
GET /v1/locations/:idGet location details + wayfinding overrides
POST /v1/planned-arrivalsCreate a pre-arrival signal
POST /v1/planned-arrivals/:token/convertConvert planned arrival to queue session
GET /v1/chat/:tokenGet/create chat thread
POST /v1/chat/:token/messagesSend a chat message

These endpoints use customer tokens for session identification rather than user authentication.

Notification links (SMS/push) use HMAC-SHA256 signed URLs for one-tap actions. The signature prevents tampering and includes an expiration timestamp. See Notifications for details.

Row-Level Security (RLS)

All database access is protected by Supabase Row-Level Security policies ensuring organization-level data isolation. Users can only access data belonging to their organization.