Back to API Console
KullGames.Api
The Protected Data Vault — Port 5002
Role in the System
Browser/Script Auth API (this) | | | | GET /api/data | | | X-Api-Token: T | | |======================================>| | | | | | ValidateToken(T) | | |<-------------------| | | | | | Valid + Claims | | |------------------->| | | | | | | Process request | | | using Claims | | | | {data: [...]} | | |<======================================| | | | | | CompleteToken(T) | | |<-------------------| | | BURNED | | | |
Request Lifecycle (Middleware)
KULLGAMES.API — Every Request Pipeline ============================================= Incoming Request | v +-------------------------------------------+ | 1. CHECK HEADER | | Does request have X-Api-Token? | | | | NO --> skip (public route or 401 later) | | YES --> continue | +-------------------------------------------+ | v +-------------------------------------------+ | 2. VALIDATE WITH AUTH | | POST to Auth /api/Auth/ValidateToken | | Send: { token: "..." } | | | | FAIL --> 401 Unauthorized, stop here | | OK --> receive UserName, Claims | +-------------------------------------------+ | v +-------------------------------------------+ | 3. EXECUTE ENDPOINT | | ctx.Items["User"] = authResult | | Run the actual route handler | +-------------------------------------------+ | v +-------------------------------------------+ | 4. BURN TOKEN | | If response was 2xx: | | POST to Auth /api/Auth/CompleteToken | | Token can NEVER be reused | +-------------------------------------------+ | v Response to caller
Trust Model
THINGS THIS SERVICE DOES: + Serves protected game data + Delegates ALL auth to KullGames.Auth + Burns tokens after successful use + Returns structured JSON responses THINGS THIS SERVICE NEVER DOES: - Never validates passwords - Never issues cookies - Never stores user data - Never trusts the caller directly - Never manages sessions - Never touches the SQLite database This service is stateless. Auth is the single source of truth.