AeroCopilotHelp Center

API Library Overview

An overview of the third-party integrations AeroCopilot ships with — MyFlightbook logbook sync, Leidos FFSP flight services, and Google OAuth sign-in.

API Library Overview

AeroCopilot is built to live alongside the existing tools pilots already use, rather than replace them. The integration layer (apps/web/lib/integrations/) groups every third-party API client behind a small, audited surface so each connection can be reasoned about, rate-limited, and revoked independently.

This page is a map of what currently ships in that directory.

Integration categories

The library today contains three categories of integration. Each is intentionally narrow — AeroCopilot does not silently call APIs that are not listed here.

1. Logbook sync — MyFlightbook

The largest integration in the library. It connects a pilot's existing MyFlightbook account over OAuth2 and pulls flights, aircraft, currency, and totals into AeroCopilot.

Key files:

  • myflightbook.ts — OAuth2 client, JSON API caller, hardcoded read/write method whitelist, 500 ms request throttle.
  • myflightbook-sync.ts — orchestrator for syncFlights, syncAircraft, syncCurrency, syncTotals, and the combined fullSync.
  • myflightbook-compliance.types.ts — typed interfaces for the compliance-relevant fields.
  • crypto.ts — AES-256-GCM encrypt / decrypt helpers used to protect OAuth refresh tokens at rest.

The integration is read-only against the live MFB site by design: any attempt to invoke a write method (AddAircraftForUser, CommitFlightWithOptions, DeleteLogbookEntry, etc.) against myflightbook.com is blocked and throws. See MyFlightbook Logbook Sync for the full data mapping and OAuth flow.

2. Flight services — Leidos FFSP

leidos-service.ts is a pre-built REST client for the Leidos Flight Service (FFSP) API — the FAA's contracted provider for flight planning and weather briefings in the contiguous United States. The client supports:

  • File, retrieve, amend, activate, cancel, and close flight plans (/FP/file, /FP/{id}/retrieve, /FP/{id}/amend, /FP/{id}/activate, /FP/{id}/cancel, /FP/{id}/close).
  • Retrieve flight plan summaries for a user (/FP/{username}/retrieveFlightPlanSummaries).
  • Standard route briefings (/FP/routeBriefing) and area briefings (/FP/areaBriefing).
  • Route search (/util/routeSearch).

Authentication is HTTP Basic with a vendor email and password, and every request carries a 30-second timeout. The client gracefully returns { available: false } from every method when credentials are not yet configured, so the rest of the application stays operational while waiting for vendor onboarding. See Leidos FAA Briefing Service for details.

3. Authentication — Google OAuth

The third integration is the OAuth sign-in surface, exposed through the Better Auth layer rather than a hand-rolled client. The currently enabled provider list (NEXT_PUBLIC_AUTH_OAUTH_PROVIDERS) is Google only. See Signing In with Google for the user-facing flow and the data Google shares with AeroCopilot.

Cross-cutting concerns

Every integration in the library follows the same operational rules:

  • server-only — All clients begin with import 'server-only'; so credentials and tokens never reach the browser bundle.
  • Token encryption — Long-lived OAuth refresh tokens are encrypted with AES-256-GCM via crypto.ts before being written to the IntegrationToken table.
  • Rate limiting — Where the upstream provider asks for it (MFB asks for ~500 ms between calls), the client enforces it in code rather than trusting the caller.
  • Graceful degradation — Where credentials are optional (Leidos), the client returns a structured { available: false } instead of throwing, so the UI can render a "not configured" state instead of an error.
  • Method-level safety guards — Where the upstream API can mutate shared data (MFB aircraft are shared between pilots), the client enforces a hardcoded whitelist of allowed methods.

What is not in the library

To keep this page honest: the integrations directory currently contains only the three categories above. Anything else a pilot might expect — ForeFlight account sync, Garmin Pilot import, ADS-B receivers, weather radio links, Stripe webhooks — either lives in a different package or is not yet implemented.

  • MyFlightbook Logbook Sync
  • Leidos FAA Briefing Service
  • Signing In with Google