Auth API
Auto-generated from
openapi-snapshot.json. Do not edit by hand — changes are overwritten byscripts/docs/generate_api_reference.py.
12 endpoints in this group.
GET /api/auth/api-key
Get Api Key
Return the current user’s API key metadata. Auto-creates the key if absent.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
POST /api/auth/api-key/rotate
Rotate Api Key
Rotate (regenerate) the current user’s API key.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
POST /api/auth/logout
Logout
Clear the auth cookie and revoke the current access-token session.
Best-effort by design: the cookie clear path MUST run even when the presented token is stale or invalid, because the Google-SSO logout loop only manifests for such tokens (a valid token wouldn’t be stuck). Therefore we read + decode the cookie inline instead of requiring Depends(get_current_user) — that dependency raises 401 before any clear-cookie statement gets a chance to run.
Request body: application/json
Responses
| Code | Description |
|---|---|
204 | Successful Response |
422 | Validation Error |
GET /api/auth/me
Me
Return the currently authenticated user’s profile.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
GET /api/auth/me/entitlements
Me Entitlements
Return the current user’s effective access envelope.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
POST /api/auth/reactivate/confirm
Reactivate Confirm
Request body: application/json
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
POST /api/auth/reactivate/request
Reactivate Request
Request body: application/json
Responses
| Code | Description |
|---|---|
204 | Successful Response |
422 | Validation Error |
POST /api/auth/refresh
Refresh Token Endpoint
Rotate refresh token and issue a new access+refresh pair.
On first use of a valid token: marks old as used, inserts new token in same family. On reuse of a used token: revokes entire family, returns 401. Feature flag REFRESH_ROTATION_ENABLED=False: issues new access token, same refresh token.
Request body: application/json
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
POST /api/auth/register
Register
Create a new public user account in an isolated Free tenant.
Request body: application/json
Responses
| Code | Description |
|---|---|
201 | Successful Response |
422 | Validation Error |
POST /api/auth/token
Login
OAuth2 password flow — sets an httpOnly bp_token cookie and also
returns the token in the body for backwards compatibility.
If the user has any verified MFA method, returns an mfa-pending token instead of a full access token. The frontend must then call POST /api/auth/mfa/challenge with the code.
Request body: application/x-www-form-urlencoded
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
POST /api/auth/verify-phone/confirm
Verify Phone Confirm
Request body: application/json
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
POST /api/auth/verify-phone/request
Verify Phone Request
Responses
| Code | Description |
|---|---|
200 | Successful Response |