Auth API
Azure AD SSO login, token refresh, and current user.
GET /v1/auth/login
Redirects the browser to the Azure AD login page. No authentication required.
Query parameters:
redirect(optional) — URL to redirect to after successful login
GET /v1/auth/callback
OAuth 2.0 callback endpoint. Handles the authorization code, creates/updates the user, issues a JWT.
Returns a redirect to the dashboard (or redirect param from /login) with the access token in a cookie.
POST /v1/auth/refresh
Exchange a still-valid JWT for a new 15-minute JWT after re-checking the user's current user and tenant state.
Request:
{ "token": "<existing JWT>" }Response:
{ "token": "<new JWT — valid for 900s>" }The refreshed token preserves the roles claims from the input JWT. It does not recalculate
role assignments from the database, so RBAC changes take effect on the next full sign-in.
Returns 401 { "error": "invalid token" } when the input JWT fails to verify. Returns the
auth-state error body (403 tenant_not_provisioned, etc.) when the user can no longer
resolve to a provisioned tenant.
GET /v1/auth/status
Returns the current browser-auth configuration.
Response:
{
"auth": {
"allowAnonymous": false,
"entraConfigured": true
}
}The web login page uses this response to choose between Microsoft sign-in, local demo mode, or setup guidance.
GET /v1/auth/me
Returns the current authenticated user. Requires Authorization: Bearer <token>.
Response:
{
"user": {
"id": "uuid",
"handle": "alice",
"email": "alice@acme.com",
"displayName": "Alice Smith",
"tenantId": "uuid"
},
"roles": ["admin"]
}Returns 401 on missing / invalid tokens, 404 user not found if the user has been
deleted, or the auth-state error body (e.g. 403 tenant_not_provisioned) when the user is
no longer mapped to a provisioned tenant.