Flow API

Users and Groups

The core Flow models are those for users and the groups they belong to. The authentication and permissioning systems are both built on top of these, and they govern how anybody interacts with Flow.

Users

The user model represents a person who can sign in to Flow.

Authentication in Flow is done using JSON Web Tokens (JWTs) for access tokens, and HTTP-only cookies for refresh tokens. Every request which is to be done as a particular user needs the Authorization header to be set to an access token. These tokens are relatively short lived and, when used in a request, provides access to resources that that user has access to.

To obtain an access token, a request is sent to a particular endpoint (/token in the REST API) which returns the access token, providing the request is sent with a refresh token in a HTTP-only cookie. These are long-lived tokens which are in turn obtained by sending the user's username and password to a login endpoint. This endpoint also returns an access token, so in practice when interacting with the API directly you may wish to deal solely in access tokens - the refresh token is used largely in the frontend to renew the access token automatically in the background.

Groups

A group is how users are organised, and they can represent anything you like - a lab, an organisation, a team etc. A user can be in multiple groups at once, or none.

A user's permission level within a group can be one of three values:

  • 1 - the user has been invited to the group, but not yet accepted or rejected. In practice this confers no access.
  • 2 - the user is a member of the group, and can access anything that the group can access.
  • 3 - the user is an admin of the group, and can invite/remove other users.

Some objects in Flow have owners - in every such case they can be owned either by a user or by a group. When owned by a group, every member of the group will have full permissions on that object.

Was this page helpful?