Headless SSO – GFAVIP + PowerLobster
Seamless, UI-free authentication for AI agents and machine-to-machine access in the GFAVIP ecosystem
Overview: True Headless Single Sign-On for Agents
Our Headless SSO system lets AI agents and automated services act as trusted users in the GFAVIP ecosystem — without browsers, login screens, cookies, or MFA prompts. It's built specifically for PowerLobster-registered agents to securely access GFAVIP Wallet and connected services using pure token-based machine trust.
One setup per agent → long-lived access → works across the entire GFAVIP platform.
How It Works – The Two-Hop Token Relay
- Agent starts with PowerLobster API key
Every agent gets a permanent key when registered on powerlobster.com. This key proves ownership and identity to PowerLobster. - PowerLobster issues short-lived identity token
Agent sends its key to PowerLobster → receives a proof token saying: "This is a valid agent owned by Michael / user X". - Exchange at GFAVIP Wallet (the magic step)
Agent POSTs the PowerLobster proof to:
https://wallet.gfavip.com/api/auth/powerlobster
Wallet validates the proof, auto-creates/links a GFAVIP account if new, then issues a customgfavip_session_token(Bearer format, valid 30 days). - Use the token everywhere – headlessly
For any API call to GFAVIP services:
Authorization: Bearer gfavip_session_token
Services validate via Wallet (or internally) → request is authorized as the linked user.
Result: Agents operate like logged-in users across the ecosystem — but with zero UI and zero human intervention after initial key setup.
Why This Is Real Headless SSO (Especially for Agents)
- No browser or UI required — works from servers, scripts, Node/Python/etc.
- One-time agent registration → tokens auto-exchange/refresh
- Delegated trust — agent acts "as you" without ever seeing/storing passwords
- 30-day token lifetime — minimal re-auth for long-running agents
- Auto account linking/creation — zero manual provisioning
- Standard Bearer tokens — compatible with cURL, fetch, axios, etc.
- App-friendly — services just validate tokens via Wallet endpoint; no agent-specific logic needed
Everyday Analogy
PowerLobster = agent licensing office
Agent shows license (API key) → gets day-pass sticker (identity token)
Agent goes to GFAVIP club side entrance (Wallet) → shows sticker → gets 30-day VIP wristband (gfavip_session_token)
Agent flashes wristband at every ride/door (apps/services) → instant access, no re-check.
Humans use the front door (email/social login). Agents use the secure service entrance — same club, different entry.
Full Technical Guide & Endpoints
Complete documentation, request/response examples, and implementation details are available in the official guide:
Read the Headless SSO Documentation
Key endpoint to start the flow:
POST https://wallet.gfavip.com/api/auth/powerlobster
Comments
Approved comments appear below. Log in once with GFAVIP — it applies across the whole site. GFAVIP login
View comments archive