# In the console at Settings -> Developers -> Apps -> {your-app},
# add each scope and a justification (>= 40 chars).

required_scopes:
  - public.pilots:read    # justification: read pilot directory for analytics dashboard
  - public.flights:read   # justification: list approved flights for monthly export job
  - public.events:read    # justification: subscribe to event log for webhook-replay UX

curl https://api.gaflight.io/api/v1/public/pilots \
  -H "Authorization: Bearer gaf_pk_<your-token>" \
  -H "X-Org-Id: <your-organization-uuid>"

// Node 18+ (global fetch). No SDK required.
const res = await fetch(
  "https://api.gaflight.io/api/v1/public/pilots",
  {
    headers: {
      Authorization: `Bearer ${process.env.GAFLIGHT_API_KEY}`,
      "X-Org-Id": process.env.GAFLIGHT_ORG_ID,
    },
  },
);
const body = await res.json();
console.log(body.data.length, "pilots");

import os, requests

resp = requests.get(
    "https://api.gaflight.io/api/v1/public/pilots",
    headers={
        "Authorization": f"Bearer {os.environ['GAFLIGHT_API_KEY']}",
        "X-Org-Id": os.environ["GAFLIGHT_ORG_ID"],
    },
    timeout=10,
)
resp.raise_for_status()
print(len(resp.json()["data"]), "pilots")

# Webhook endpoints are created from the consumer console at
# Settings -> Integrations -> Webhooks. The signing secret is shown
# plaintext-once when the endpoint is created.

# Endpoint:    https://your-app.example.com/webhooks/gaflight
# Event types: flight.approved, flight.submitted, webhook.test
# Active:      true

// Node 18+. Verify HMAC before processing.
const crypto = require("crypto");

function verify(rawBody, headerSig, secret) {
  const expected =
    "sha256=" + crypto.createHmac("sha256", secret)
                      .update(rawBody)
                      .digest("hex");
  return crypto.timingSafeEqual(
    Buffer.from(expected),
    Buffer.from(headerSig),
  );
}

// In your Express handler — keep the raw body around.
app.post("/webhooks/gaflight",
  express.raw({ type: "application/json" }),
  (req, res) => {
    const sig = req.header("X-GA-Webhook-Signature");
    if (!sig || !verify(req.body, sig, process.env.WEBHOOK_SECRET)) {
      return res.status(401).end();
    }
    const event = JSON.parse(req.body.toString("utf8"));
    // ... your handler
    res.status(204).end();
  });

# Python 3.10+. Verify HMAC before processing.
import hmac, hashlib

def verify(raw_body: bytes, header_sig: str, secret: str) -> bool:
    expected = "sha256=" + hmac.new(
        secret.encode("utf-8"),
        raw_body,
        hashlib.sha256,
    ).hexdigest()
    return hmac.compare_digest(expected, header_sig)