Skip to content
StraventaDocs
API Reference

Auth Service API

IAM authentication, OIDC, sessions, MFA, RBAC, and admin endpoints

The Auth Service is the IAM core for the entire 505pay platform. Every other service (POS, Payments, Recon) verifies callers against the JWTs it issues. It is also a fully spec-compliant OpenID Connect provider, so external applications can federate against 505pay via standard OAuth 2.0 / OIDC flows.

Base URLs

EnvironmentHostname
Sandboxhttps://sandbox.505pay.link
Productionhttps://api.505pay.link

Auth-service routes (/token, /authorize, /userinfo, /revoke, /logout, /.well-known/*, /v1/check, /v1/introspect, /v1/admin/*) are served from the aggregating host. For k8s-internal traffic the service is also reachable in-cluster via its k8s service DNS (auth-service.<ns>.svc), but merchants and SDKs should always use the aggregating host so the same code works across environments.

OIDC discovery lives at /.well-known/openid-configuration — most OIDC client libraries can auto-configure from that URL alone.

Authentication model

Every request to a 505pay service is authorized by a Bearer JWT issued by this service. Tokens carry three claims that downstream services act on:

  • sub — the user, service-account, or partner identity.
  • tenant_id — the tenant the caller is acting within (multi-tenant isolation).
  • roles[] — a flat list of {role, permission, scope} entries; the SDK's Require(permission, scope) helper walks this list in O(n) without hitting the network.

Token verification allows ±60s clock skew. Refresh-token families are tracked server-side; reuse of a rotated refresh token triggers immediate family revocation. Access-token permissions are embedded in the JWT and verified locally by the SDK — server-side role/tenant changes take effect at the next token refresh (default TTL: 15 minutes).

How to integrate

Used by the auth-console SPA. Returns a short-lived access token plus a refresh token bound to the browser session family.

curl -X POST https://sandbox.505pay.link/v1/auth/password \
  -H "Content-Type: application/json" \
  -d '{
    "tenant_slug": "acme",
    "email": "[email protected]",
    "password": "..."
  }'

Standard OAuth 2.0 client-credentials grant. Register a confidential client via the admin API, store its secret in your secrets manager, and exchange for an access token at /token.

curl -X POST https://sandbox.505pay.link/token \
  -u "$CLIENT_ID:$CLIENT_SECRET" \
  -d "grant_type=client_credentials&scope=payments.read"

Long-running services authenticate with a signed JWT (grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer). Service accounts are tied to a tenant and rotated via rotateServiceAccountKey.

Conventions

  • Error envelope: { "error": "<code>", "message": "...", "request_id": "..." } for every non-2xx response except /token, which follows RFC 6749 §5.2.
  • Request IDs: all responses include X-Request-ID; surface it in client errors so support can trace any single request end-to-end.
  • Pagination: list endpoints accept ?page=&limit=&search= and return the shared envelope ({<resource>[], total, page, limit, total_pages}). See the Pagination guide.
  • CSRF: cookie-authenticated routes require a double-submit token. Bearer callers are exempt.

Production safety

The /v1/auth/signup endpoint is gated by SIGNUP_ENABLED and rate-limited (3/IP/h + 5/email/d). Keep it disabled for production tenants and onboard through the admin invitation flow instead.


Endpoint reference

OIDC / OAuth2

Standard OpenID Connect and OAuth 2.0 endpoints used by SPAs, CLIs, and server-to-server clients.

Auth

Password-based login, token refresh, signup, and password reset for tenant users.

User profile & sessions

Current-user identity, active sessions, and the fallback authorization probe.

MFA (TOTP)

Enroll and verify time-based one-time passwords for multi-factor authentication.

Users, roles & groups

Tenant-scoped user management, role assignments, and group membership.

GET/v1/admin/groups

List groups

GET/v1/admin/groups/{groupId}/members

List group members

GET/v1/admin/permissions

List registered permissions

GET/v1/admin/roles

List roles

GET/v1/admin/users

List users in the caller's tenant

GET/v1/admin/users/{userId}

Fetch a user

GET/v1/admin/users/{userId}/memberships

List the user's memberships with role assignments

POST/v1/admin/groups

Create a group

POST/v1/admin/groups/{groupId}/members

Add a user to a group

POST/v1/admin/roles

Create a role

POST/v1/admin/users

Create a user in the caller's tenant

POST/v1/admin/users/{userId}/roles

Assign a role to a user (in the caller's tenant)

POST/v1/admin/users/{userId}/suspend

Suspend a user

PATCH/v1/admin/groups/{groupId}

Update a group

PATCH/v1/admin/roles/{roleId}

Update a role

PATCH/v1/admin/users/{userId}

Update a user

DELETE/v1/admin/groups/{groupId}

Delete a group

DELETE/v1/admin/groups/{groupId}/members/{userId}

Remove a user from a group

DELETE/v1/admin/roles/{roleId}

Delete a role

DELETE/v1/admin/users/{userId}

Soft-delete a user

DELETE/v1/admin/users/{userId}/roles/{roleId}

Remove a role from a user

Team management

Merchant-level team management — invite, suspend, reactivate, and assign roles to team members.

OIDC clients & service accounts

Confidential OIDC clients and machine-to-machine service accounts.

GET/v1/admin/oidc-clients

List OIDC clients

GET/v1/admin/oidc-clients/{clientID}

Fetch an OIDC client

GET/v1/admin/service-accounts

List service accounts

GET/v1/admin/service-accounts/{id}

Fetch a service account

GET/v1/admin/snap-partners

List SNAP partners for a merchant

GET/v1/admin/snap-partners/{partnerID}

Get a single SNAP partner by ID

POST/v1/admin/oidc-clients

Register an OIDC client

POST/v1/admin/oidc-clients/{clientID}/rotate-secret

Rotate the OIDC client secret

POST/v1/admin/service-accounts

Create a service account

POST/v1/admin/service-accounts/{id}/rotate-key

Rotate the service-account API key

POST/v1/admin/snap-partners

Register a new SNAP-BI partner credential

POST/v1/admin/snap-partners/{partnerID}/rotate-secret

Rotate the HMAC client secret of a SNAP partner

PATCH/v1/admin/oidc-clients/{clientID}

Update an OIDC client

PATCH/v1/admin/service-accounts/{id}

Update a service account

DELETE/v1/admin/oidc-clients/{clientID}

Delete an OIDC client

DELETE/v1/admin/service-accounts/{id}

Delete a service account

DELETE/v1/admin/snap-partners/{partnerID}

Revoke a SNAP partner (soft-delete, idempotent)

Invitations & onboarding

Invite users by email and accept invitation tokens. First-admin signup for new tenants.

Sandbox & environment

Provision a sandbox sibling tenant and switch between production and sandbox environments.

Audit log

Tenant-scoped audit log export and retention settings.

Health & metadata

Liveness/readiness probes and the machine-readable OpenAPI spec.

Ungrouped operations

36 operations in the spec are not listed in the groups file. Add their operationIds to content/docs/api/auth.groups.json.

GET/v1/admin/audit-log

List tenant audit-log events with optional filters

GET/v1/admin/settings/policy

Read this tenant's non-secret policy/toggle settings

GET/v1/admin/settings/smtp

Read this tenant's SMTP transport settings (write-only view)

GET/v1/admin/settings/storage

Read this tenant's object-storage settings (write-only view)

GET/v1/auth/branding

Public host/slug-keyed tenant branding

GET/v1/me/notifications

List the caller's in-app notifications

GET/v1/me/notifications/unread-count

Get unread notification count (badge poll)

GET/v1/me/sessions

List the caller's own sessions

GET/v1/platform/tenants/{tenantId}/modules

Read a tenant's product-module catalog (enabled flags)

GET/v1/profile/notifications

Get the caller's notification preferences

GET/v1/tenant/branding

Read the caller's own tenant branding (self-serve)

POST/sso/exchange

Exchange a one-time SSO handoff code for a session

POST/v1/admin/settings/{kind}/preview

Dry-run preview of a candidate settings change

POST/v1/admin/settings/policy/revert

Clear this tenant's policy override

POST/v1/admin/settings/smtp/revert

Clear this tenant's SMTP override

POST/v1/admin/settings/smtp/test

Enqueue an asynchronous SMTP send-test

POST/v1/admin/settings/storage/revert

Clear this tenant's object-storage override

POST/v1/admin/settings/storage/test

Enqueue an asynchronous object-storage test-connection

POST/v1/admin/users/{userId}/reinstate

Reinstate a suspended user (Plan C / V4-17)

POST/v1/auth/enter-sandbox

Enter the caller's own sandbox sibling and mint a sandbox token

POST/v1/auth/switch-tenant

Switch the active tenant (re-scope the session to another membership)

POST/v1/auth/verify-email/resend

Resend a verification email

POST/v1/internal/token-exchange

Mint a scoped tenant JWT for internal service-to-service calls

POST/v1/me/notifications/mark-all-read

Mark all notifications as read

POST/v1/me/password

Change the caller's password

PUT/v1/admin/settings/policy

Create or replace this tenant's policy/toggle settings

PUT/v1/admin/settings/smtp

Create or replace this tenant's SMTP transport settings

PUT/v1/admin/settings/storage

Create or replace this tenant's object-storage settings

PUT/v1/platform/tenants/{tenantId}/modules

Replace a tenant's enabled product modules (declarative full set)

PUT/v1/profile/notifications

Replace the caller's notification preferences

PUT/v1/tenant/branding

Update the caller's own tenant branding (self-serve)

PATCH/v1/admin/team/{memberId}/roles/{roleId}

Change the POS store scope on an existing role assignment

PATCH/v1/me

Update current user profile

PATCH/v1/me/notifications/{id}/read

Mark a single notification as read

PATCH/v1/platform/tenants/{tenantId}/commercial-class

Set a tenant's commercial class (owner or subscriber)

DELETE/v1/me/sessions/{familyId}

Revoke one of the caller's own sessions

Was this page helpful?

On this page