Authentication
Different Overlord surfaces use different credentials, but the goal is always the same: keep access scoped and auditable.
Web app login
The web app uses a normal Supabase Auth session for signed-in users.
Agent tokens
Desktop and CLI workflows use agent tokens that are scoped to a user and organization.
These tokens are sensitive and should be treated as secrets.
MCP access
Cloud or hosted agents can use OAuth-based access through the MCP server, and legacy flows can still use agent tokens when needed.
Local protocol routes
Local Electron-hosted protocol routes can rely on an additional local secret when configured.