Bytes

Authority

Service IDs:

Repos:

Hosts:

Dependencies: topolo-auth, applications-packages

Depends on Topolo Auth: yes

Contract Source

Type: curated

Source: PlatformApplications/TopoloDocs/src/content/public/applications/bytes.mdx

Source exists: no

Canonical Bytes coverage now lives in the docs application, the browser launcher lane now reads Auth-owned catalog data through same-origin /api/auth/* on the Bytes host, the browser callback delegates one-time `sso_code` exchange to the shared Auth client without exposing a legacy `/sso?token=` route or app-local `/sso/exchange` parser, accepts a compact exchanged-token payload, and SPA-navigates after auth update events so the memory-only token survives protected-route hydration. First-party embedded password login also completes through Bytes-owned router navigation after shared Auth token persistence. Closed lazy panels and modals are deferred until opened so `/browse` startup is not held behind hidden Suspense loaders. The worker now requires Topolo Auth validation for all operator bearer tokens with no Bytes-local JWT secret path. Bytes keeps app identity in the repo-level app-identity module and resolves the concrete Auth service id from the canonical topolo-bytes slug at runtime for browser headers, worker permission checks, API-key management, notification emission, and widget responses. Bytes exposes `GET /api/widget` with the shared `@topolo/sdk` widget response contract for TopoloOne live workspace.

API key scopes in Auth catalog: 12

Auth Requirements

No global OpenAPI security scheme is declared.

• api_keys.write
• files.delete
• files.read
• files.write
• folders.read
• folders.write
• media.read
• media.write
• pipelines.invoke
• sharing.read
• sharing.write
• storage.read

Runtime and Deployment

Wrangler surfaces: none detected

Environment variables: none derived

Routes: workers.dev or Pages-only delivery

Observability enabled: no explicit signal found