Lolo API Auth


Authenticate an HTTP request.

Many API request may only be performed by authorized users. This function will often be placed between a HTTP trigger and request processing like below:


Events received on the in port are attempted to be authenticated. If the event can be authenticated it is routed to out.

Input/Output Format


The received event is exepected to be an object with a headers property. That in turn is expected to be an object with the the properties lolo-api-key or authorization. These properties are either a LoLo API key (which you can generate in your admin panel) or a JWT token (which you get by logging in) respectively. These are used to authenticate the user.

The headers property may also have a lolo-account-id property which, if present, should be a string with a LoLo account ID. This is used to allow the user to access other accounts than their own which they are a member of.


If the event can be authenticated, then a session property is set on the event. The session property holds an object with the following properties:

  • primaryAccountId,
  • email,
  • accountId, and
  • role.

All properties are strings.

primaryAccountId is the ID of the account the client authenticated as.
accountId is the ID of the account the client is accessing.
email is primary accounts email.
role is a string corresponding to the role the user has. (Either 'read' or 'write'.)


This function does not listen for, nor emits any events.


If there is a query property present on the event which has a lolo-api-key property, then the lolo-api-key property may be omitted from the headers object. The same applies to authorization.