Your plan
Your plan in uwwoe is anonymous. No account, no email, no password, no student number. This page explains how that actually works and what your options are.
The token
The first time you create a plan, the backend issues you a state token:
- ≥256 bits of randomness, base64url-encoded with no padding.
- Returned exactly once in the response body of
POST /api/v1/state. - Transmitted on every subsequent request in the
Authorization: Bearer <token>header. Never in URLs. - Never logged. The verifier stored server-side is an HMAC of the token under a rotatable key, not the token itself.
If you lose the token, your plan is gone — there is no recovery flow, because there is no identity to recover against. This is the privacy trade-off.
Spec: Anonymous state token policy (ADR 0011), Student state schema.
What the backend stores
For each plan, the database holds:
- An HMAC verifier (not the token itself; you can’t reverse it).
- The academic state: terms, course entries, statuses, grades, notes.
- The catalog version the plan was created against
(
catalog_version_id). - A state version counter for optimistic concurrency.
The backend does not hold:
- Your name, email, student number.
- An audit log of state contents (per ADR 0019).
- The token itself.
Export
GET /api/v1/state/current/export returns a portable JSON copy of your
state. The response carries Cache-Control: no-store and does not write
any new state-event row.
You can save the export, archive it, hand it to a study partner. If you later lose your token, you can re-import the export into a fresh state.
Replace
PUT /api/v1/state/current (with the request body containing a full
state document) replaces your current state. Useful when restoring from
an export. Optimistic concurrency applies: include the current
expected_state_version in the body, or accept a 409 Conflict if the
server has moved on.
Delete
DELETE /api/v1/state/current with explicit confirmation in the body is
a hard delete. After it succeeds:
- The state row is removed.
- The same token, replayed, returns
401 unauthorized— indistinguishable from any other unknown token. - A minimal tombstone is recorded (no academic state contents) so re-creation under the same token is impossible.
There is no soft-delete, no 30-day grace period, no admin restore path. The privacy posture is “deleted means deleted”.
Migration when the catalog changes
Every plan is pinned to a catalog_version_id. When uwwoe deploys an
updated index, your existing plan is not auto-migrated. Instead:
- The backend exposes
POST /api/v1/state/current/migration-preview. Submit a targetcatalog_version_id; the response shows what would change if your plan were migrated — added requirements, removed courses, renamed entries. - You decide whether to accept. Migration is advisory and explicit per ADR 0004.
What never leaks
| Surface | Carries state_token? |
|---|---|
| URLs | Never |
| Server access logs | Never |
| Telemetry / metrics | Never |
| Atlas worker payloads | Never |
| Shareable view URLs | Never |
| Test artifacts and CI logs | Never |
This is checked by the Global Gate Raw state_token never appears in URLs, logs, telemetry, worker payloads, or test artifacts — every phase
must pass it.
What you can share
You can safely share:
- A URL that reconstructs the public view of the Canva (view mode, selected node, target credential).
- An export of your state (you decide whether to redact grades and notes before sharing).
You must not share your raw token. Anyone with the token can read, modify, or delete your plan.