# Overview & Authentication The ONEWEB platform exposes a set of APIs that enable applications to interact with core platform services such as **Page rendering**, **Dashboard configuration**, **Microflows**, and **data‑driven components**. These APIs are designed to support both **Web** and **Mobile** applications built using **Page Designer**, allowing client applications to securely retrieve data, trigger logic, and render dynamic user interfaces at runtime. At a high level, the ONEWEB API layer provides: * Runtime access to **Pages and Dashboards** * Integration with **Microflows** for business logic execution * Support for **configuration‑driven dashboards** (Widget Dashboard) * Data delivery for **UI components**, such as Charts, via Microflow outputs * Secure communication between client applications and backend services All API interactions are performed over **HTTP(S)** and are subject to authentication and authorization rules enforced by the ONEWEB runtime. *** ### API Usage Context ONEWEB APIs are primarily consumed by: * Page Designer–generated Web applications * Mobile applications built and deployed via ONEWEB CI/CD * Internal platform components (Microflows, Widgets, Extensions) End users typically do not call APIs directly.\ Instead, APIs are invoked indirectly through: * Page rendering * Component data binding * Microflow execution * Dashboard runtime resolution As a result, authentication handling is tightly integrated into the platform runtime. *** ## Authentication Authentication in ONEWEB APIs ensures that every request is executed in the context of a **valid user session** and adheres to the platform’s security model. The authentication mechanism is **session‑based** and is managed centrally by the ONEWEB runtime. *** ### Session‑Based Authentication ONEWEB APIs rely on an **authenticated session** established when a user logs in to the platform. Once authenticated: * A session is created on the server * Subsequent API requests are automatically associated with that session * Authorization is evaluated based on the authenticated user context Clients are not required to manually include credentials such as usernames or passwords in each API request. *** ### Authentication Flow (High‑Level) 1. The user authenticates through the ONEWEB login mechanism. 2. A server‑side session is established. 3. API calls are executed within the scope of that session. 4. Access control is enforced based on user permissions. This model applies consistently across: * Page rendering APIs * Dashboard runtime APIs * Microflow execution * Data access through configured components *** ### Authorization and Access Control Authorization is evaluated based on: * Authenticated user identity * Roles and permissions assigned to the user * Application‑level access rules * Page and component visibility rules If a request is made without a valid session or sufficient permissions, the API request is rejected by the runtime. *** ### Security Considerations * API endpoints assume a **trusted runtime environment** * Client‑side code (HTML and JavaScript) must never be treated as secure * Sensitive validation and authorization logic must always be enforced server‑side * External access must occur over **HTTPS** * When integrating external content, platform security best practices (such as InAppBrowser usage) should be followed These security principles apply uniformly to: * Web applications * Mobile applications * Dashboard and Microflow APIs *** ### Summary * ONEWEB APIs provide backend access for **Pages, Dashboards, and Microflows** * API calls operate within an authenticated **user session** * Authentication is **session‑based**, not token‑based * Authorization is enforced by the platform runtime * APIs are designed to be consumed **implicitly** by Page Designer components rather than called directly by end users This authentication model ensures secure, consistent access across all ONEWEB applications while minimizing client‑side complexity. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.onewebstack.com/api-reference/overview-and-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.