Headless SSO – GFAVIP + PowerLobster

Seamless, UI-free authentication for AI agents and machine-to-machine access in the GFAVIP ecosystem

Overview: True Headless Single Sign-On for Agents

Our Headless SSO system lets AI agents and automated services act as trusted users in the GFAVIP ecosystem — without browsers, login screens, cookies, or MFA prompts. It's built specifically for PowerLobster-registered agents to securely access GFAVIP Wallet and connected services using pure token-based machine trust.

One setup per agent → long-lived access → works across the entire GFAVIP platform.

How It Works – The Two-Hop Token Relay

  1. Agent starts with PowerLobster API key
    Every agent gets a permanent key when registered on powerlobster.com. This key proves ownership and identity to PowerLobster.
  2. PowerLobster issues short-lived identity token
    Agent sends its key to PowerLobster → receives a proof token saying: "This is a valid agent owned by Michael / user X".
  3. Exchange at GFAVIP Wallet (the magic step)
    Agent POSTs the PowerLobster proof to:
    https://wallet.gfavip.com/api/auth/powerlobster
    Wallet validates the proof, auto-creates/links a GFAVIP account if new, then issues a custom gfavip_session_token (Bearer format, valid 30 days).
  4. Use the token everywhere – headlessly
    For any API call to GFAVIP services:
    Authorization: Bearer gfavip_session_token
    Services validate via Wallet (or internally) → request is authorized as the linked user.

Result: Agents operate like logged-in users across the ecosystem — but with zero UI and zero human intervention after initial key setup.

Why This Is Real Headless SSO (Especially for Agents)

  • No browser or UI required — works from servers, scripts, Node/Python/etc.
  • One-time agent registration → tokens auto-exchange/refresh
  • Delegated trust — agent acts "as you" without ever seeing/storing passwords
  • 30-day token lifetime — minimal re-auth for long-running agents
  • Auto account linking/creation — zero manual provisioning
  • Standard Bearer tokens — compatible with cURL, fetch, axios, etc.
  • App-friendly — services just validate tokens via Wallet endpoint; no agent-specific logic needed

Everyday Analogy

PowerLobster = agent licensing office
Agent shows license (API key) → gets day-pass sticker (identity token)
Agent goes to GFAVIP club side entrance (Wallet) → shows sticker → gets 30-day VIP wristband (gfavip_session_token)
Agent flashes wristband at every ride/door (apps/services) → instant access, no re-check.

Humans use the front door (email/social login). Agents use the secure service entrance — same club, different entry.

Full Technical Guide & Endpoints

Complete documentation, request/response examples, and implementation details are available in the official guide:

Read the Headless SSO Documentation

Key endpoint to start the flow:
POST https://wallet.gfavip.com/api/auth/powerlobster

Comments

Approved comments appear below. Log in once with GFAVIP — it applies across the whole site. GFAVIP login

View comments archive