Authorization API Reference
Quick endpoint reference for all RBAC-related APIs. For detailed request/response examples, see the linked pages.
Request Headers
| Header | Required | Description |
|---|---|---|
Authorization |
Protected routes | Bearer {token} from login |
X-Tenant |
Tenant-scoped routes | Tenant identifier string |
Content-Type |
POST/PATCH/PUT | application/json |
Accept |
Recommended | application/json |
Authentication Endpoints
| Method | Path | Description | Auth |
|---|---|---|---|
| POST | /api/v1/tenants |
Register a new tenant with owner account | No |
| POST | /api/v1/auth/login |
Authenticate user (requires X-Tenant) |
No |
| POST | /api/v1/auth/logout |
Revoke current access token | Yes |
| GET | /api/v1/auth/me |
Get current user profile and permissions | Yes |
| GET | /api/v1/auth/tenants |
List all tenants the user belongs to | Yes |
| POST | /api/v1/auth/change-password |
Update authenticated user's password | Yes |
Team Management Endpoints
See Team Management for detailed usage, request bodies, and response examples.
| Method | Path | Description | Permission |
|---|---|---|---|
| GET | /api/v1/team |
List team members | team.view |
| POST | /api/v1/team/invite |
Invite a new team member | team.invite |
| GET | /api/v1/team/invitations |
List pending invitations | team.invite |
| POST | /api/v1/team/invitations/{id}/resend |
Resend an invitation email | team.invite |
| DELETE | /api/v1/team/invitations/{id} |
Cancel a pending invitation | team.invite |
| PATCH | /api/v1/team/members/{id}/role |
Update a member's role | team.manage_roles |
| POST | /api/v1/team/members/{id}/suspend |
Suspend a member | team.remove |
| POST | /api/v1/team/members/{id}/reactivate |
Reactivate a suspended member | team.edit |
| DELETE | /api/v1/team/members/{id} |
Remove a member | team.remove |
| POST | /api/v1/invitations/accept |
Accept an invitation (no auth required) | None |
Role & Permission Endpoints
See Roles and Permissions for detailed usage and response examples.
| Method | Path | Description | Permission |
|---|---|---|---|
| GET | /api/v1/team/roles |
List available roles | team.view |
| GET | /api/v1/team/roles/{id} |
Get role details with permissions | team.view |
| GET | /api/v1/team/permissions |
List all available permissions | team.manage_roles |
Error Response Format
All errors return a JSON object with a message field. Additional fields vary by error type.
| Status | Meaning | Extra Fields |
|---|---|---|
| 401 | Unauthenticated (missing or invalid token) | -- |
| 403 | Forbidden (missing permission or suspended) | required_permission, status |
| 404 | Resource or tenant not found | -- |
| 422 | Validation failed | errors (field-level messages) |
Example validation error:
{
"message": "The given data was invalid",
"errors": {
"email": ["The email field is required."]
}
}
Rate Limiting
| Endpoint | Limit |
|---|---|
| Login | 5 requests/minute per IP |
| Register | 3 requests/minute per IP |
| All other endpoints | 60 requests/minute per user |
Rate limit headers included in every response:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 59
X-RateLimit-Reset: 1704672000