Auth bypass deep links help Revyl start a test from a meaningful authenticated state without scripting every login screen.
The recommended pattern is:
- Launch variables gate the bypass when the app starts.
- A deep link performs one action: create the test session and route to the screen under test.
Only enable this in simulator, staging, debug, or explicit test builds. Do not ship a permanent auth bypass in production.
Example Contract
Use a route like:
myapp://revyl-auth?token=<short-lived-token>&role=buyer&redirect=%2Fcheckout
REVYL_AUTH_BYPASS_ENABLED=true turns on the test-only handler.REVYL_AUTH_BYPASS_TOKEN=<token> gives the app or test backend the expected short-lived token.redirect is an allowlisted app route, such as /checkout or /account.
In production-grade test builds, the app should exchange or verify the token with your staging backend. The Bug Bazaar fixture uses a demo token so the flow is easy to inspect.
Create Launch Variables
Create reusable org launch variables once:
revyl global launch-var create REVYL_AUTH_BYPASS_ENABLED=true
revyl global launch-var create REVYL_AUTH_BYPASS_TOKEN=revyl-demo-token
revyl device start \
--platform ios \
--launch-var REVYL_AUTH_BYPASS_ENABLED \
--launch-var REVYL_AUTH_BYPASS_TOKEN
revyl device navigate \
--url "myapp://revyl-auth?token=revyl-demo-token&role=buyer&redirect=%2Fcheckout"
YAML Test
For a named test, attach launch variables with env_vars and keep the token value in a test variable or global variable:
test:
metadata:
name: "Auth bypass to checkout"
platform: ios
build:
name: "Shopping App"
env_vars:
- REVYL_AUTH_BYPASS_ENABLED
- REVYL_AUTH_BYPASS_TOKEN
variables:
auth_bypass_token: revyl-demo-token
blocks:
- type: manual
step_type: navigate
step_description: "myapp://revyl-auth?token={{auth_bypass_token}}&role=buyer&redirect=%2Fcheckout"
- type: validation
step_description: "The checkout screen is visible and the user is signed in"
step_description: "myapp://revyl-auth?token={{global.auth-bypass-token}}&redirect=%2Fcheckout"
App Handler Shape
Inside your app:
- Read launch config at startup (
REVYL_AUTH_BYPASS_ENABLED, REVYL_AUTH_BYPASS_TOKEN, or equivalent launch arguments).
- Register a deep link handler for
myapp://revyl-auth.
- Reject the link unless the bypass is enabled and the token verifies.
- Create a test-only session for an allowlisted user or role.
- Route only to allowlisted in-app destinations.
For React Native or Expo Router, the handler usually lives near the root layout:
import * as Linking from "expo-linking";
import { router } from "expo-router";
const allowedRedirects = new Set(["/account", "/checkout", "/cart"]);
function handleAuthBypass(url: string, expectedToken: string) {
const parsed = new URL(url);
if (parsed.protocol !== "myapp:" || parsed.hostname !== "revyl-auth") return;
const token = parsed.searchParams.get("token");
const redirect = parsed.searchParams.get("redirect") || "/account";
if (token !== expectedToken || !allowedRedirects.has(redirect)) return;
// Create a test-only session here, then route.
router.replace(redirect);
}
Linking.addEventListener("url", event => {
handleAuthBypass(event.url, expectedTokenFromLaunchConfig);
});
ProcessInfo.processInfo.arguments; Revyl passes Android launch variables as am start --es string extras, so Android apps can read them from the launch Intent. For React Native or Expo apps, expose those native values through your own small native module if JavaScript needs to verify them directly. The important contract is the same: launch configuration enables the handler, and the deep link selects the destination.
Bug Bazaar Sample
This repo includes the pattern in internal-apps/bug-bazaar:
revyl device navigate \
--url "bug-bazaar://revyl-auth?token=revyl-demo-token&role=collector&redirect=%2Fcheckout"
REVYL_AUTH_BYPASS_TOKEN into their own native code or staging backend verification. 
