{"openapi":"3.1.0","info":{"title":"Keymaster API","description":"Identity broker & auth gateway for Cloud Monitor","version":"3.9.0"},"paths":{"/token/refresh":{"post":{"summary":"Refresh Token","description":"Exchange a valid refresh token for a new access + refresh token pair.\n\nThe old refresh token is revoked (rotation).","operationId":"refresh_token_token_refresh_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenRefreshRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/token/revoke":{"post":{"summary":"Revoke Token","description":"Revoke a refresh token (logout).","operationId":"revoke_token_token_revoke_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenRevokeRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/token/verify":{"post":{"summary":"Verify Token","description":"Verify an access token and return its claims.\n\nFor app backends to validate tokens server-side.","operationId":"verify_token_token_verify_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenVerifyRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/token":{"post":{"summary":"Token Endpoint","description":"OAuth2 token endpoint — supports client_credentials grant.\n\nAccepts both JSON body and form-encoded body (per OAuth2 spec).","operationId":"token_endpoint_auth_token_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/.well-known/jwks.json":{"get":{"summary":"Jwks","description":"Public keys for JWT verification.","operationId":"jwks__well_known_jwks_json_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/.well-known/openid-configuration":{"get":{"summary":"Openid Configuration","description":"OIDC discovery document.","operationId":"openid_configuration__well_known_openid_configuration_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/auth/login":{"post":{"tags":["auth"],"summary":"Login Password","description":"Authenticate with email + password and receive tokens.","operationId":"login_password_auth_login_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PasswordLoginRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/invite":{"post":{"tags":["auth"],"summary":"Redeem Invite","description":"Redeem an invite code to create an account and join an app.","operationId":"redeem_invite_auth_invite_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/InviteRedeemRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/accept-invite":{"post":{"tags":["auth"],"summary":"Accept Invite","description":"Accept an invite. Existing users just confirm; new users provide name + password.","operationId":"accept_invite_auth_accept_invite_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AcceptInviteRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/request-access":{"post":{"tags":["auth"],"summary":"Request Access","description":"Request access to an approval-required app. Requires an active SSO session.","operationId":"request_access_auth_request_access_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RequestAccessBody"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/signup":{"post":{"tags":["auth"],"summary":"Signup","description":"Create a new account and enroll in an open-registration app.","operationId":"signup_auth_signup_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SignupRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/send-verification":{"post":{"tags":["auth"],"summary":"Send Verification","description":"Send (or resend) a verification email for the authenticated user.\n\nThe user must be authenticated via the SSO cookie. Returns 200 regardless\nto avoid leaking whether the address is verified.","operationId":"send_verification_auth_send_verification_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SendVerificationRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/verify-email":{"get":{"tags":["auth"],"summary":"Verify Email","description":"Validate an email verification token and mark the user's email as verified.","operationId":"verify_email_auth_verify_email_get","parameters":[{"name":"token","in":"query","required":true,"schema":{"type":"string","title":"Token"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/forgot-password":{"post":{"tags":["auth"],"summary":"Forgot Password","description":"Send a password reset email. Always returns 200 to prevent email enumeration.","operationId":"forgot_password_auth_forgot_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ForgotPasswordRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/reset-password":{"post":{"tags":["auth"],"summary":"Reset Password","description":"Reset password using a valid reset token.","operationId":"reset_password_auth_reset_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ResetPasswordRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/totp/verify":{"post":{"tags":["auth"],"summary":"Totp Verify","description":"Complete login after passing the TOTP challenge.\n\nVerifies the totp_session JWT, then verifies the TOTP code or a backup code.\nOn success, issues tokens and SSO cookie.","operationId":"totp_verify_auth_totp_verify_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TotpVerifyRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TokenResponse"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/magic-link":{"post":{"tags":["auth"],"summary":"Request Magic Link","description":"Request a magic link for passwordless email login.\nAlways returns 200 {\"status\": \"sent\"} — never reveals whether email exists.\nRate limited: 3 per email per 15 min.","operationId":"request_magic_link_auth_magic_link_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/MagicLinkRequestBody"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/auth/magic-link/verify":{"get":{"tags":["auth"],"summary":"Verify Magic Link","description":"Consume a magic link token. Issues tokens + SSO cookie, then redirects.\nIf user has TOTP, redirects to TOTP challenge instead.","operationId":"verify_magic_link_auth_magic_link_verify_get","parameters":[{"name":"token","in":"query","required":true,"schema":{"type":"string","title":"Token"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/tenants":{"get":{"tags":["admin"],"summary":"List Tenants","operationId":"list_tenants_admin_tenants_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"items":{"$ref":"#/components/schemas/TenantOut"},"type":"array","title":"Response List Tenants Admin Tenants Get"}}}}}},"post":{"tags":["admin"],"summary":"Create Tenant","operationId":"create_tenant_admin_tenants_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TenantCreate"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TenantOut"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/tenants/{tenant_id}":{"patch":{"tags":["admin"],"summary":"Update Tenant","description":"Update tenant settings. Toggling is_active cascades to all tenant apps.","operationId":"update_tenant_admin_tenants__tenant_id__patch","parameters":[{"name":"tenant_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Tenant Id"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TenantUpdate"}}}},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/TenantOut"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/apps":{"get":{"tags":["admin"],"summary":"List Apps","operationId":"list_apps_admin_apps_get","parameters":[{"name":"tenant_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"Tenant Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/AppOut"},"title":"Response List Apps Admin Apps Get"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}},"post":{"tags":["admin"],"summary":"Create App","operationId":"create_app_admin_apps_post","requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/AppCreate"}}}},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AppCreatedOut"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/apps/{app_id}":{"put":{"tags":["admin"],"summary":"Update App","operationId":"update_app_admin_apps__app_id__put","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"type":"object","additionalProperties":true,"title":"Body"}}}},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/AppOut"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/apps/{app_id}/logo":{"post":{"tags":["admin"],"summary":"Upload App Logo","description":"Upload and normalize app logo. Stored as base64 data URI in branding config.","operationId":"upload_app_logo_admin_apps__app_id__logo_post","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"requestBody":{"required":true,"content":{"multipart/form-data":{"schema":{"$ref":"#/components/schemas/Body_upload_app_logo_admin_apps__app_id__logo_post"}}}},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}},"delete":{"tags":["admin"],"summary":"Delete App Logo","description":"Remove uploaded logo from app branding.","operationId":"delete_app_logo_admin_apps__app_id__logo_delete","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users":{"get":{"tags":["admin"],"summary":"List Users","description":"List users. Accepts user JWT or service JWT with `users:read` scope.\n\nService tokens can only list users for their own app (app_id is enforced).","operationId":"list_users_admin_users_get","parameters":[{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/UserOut"},"title":"Response List Users Admin Users Get"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}},"post":{"tags":["admin"],"summary":"Create User","description":"Create a user. Accepts user JWT (platform admin) or service JWT with `users:create` scope.\n\nService tokens cannot set is_platform_admin=True.","operationId":"create_user_admin_users_post","requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserCreate"}}}},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserOut"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/detail":{"get":{"tags":["admin"],"summary":"Get User Detail","description":"Full user detail including enrollments, linked accounts, tenant roles.","operationId":"get_user_detail_admin_users__user_id__detail_get","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/search":{"get":{"tags":["admin"],"summary":"Search Users","description":"Search users by email prefix. Returns up to 10 matches.","operationId":"search_users_admin_users_search_get","parameters":[{"name":"q","in":"query","required":false,"schema":{"type":"string","default":"","title":"Q"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/roles":{"post":{"tags":["admin"],"summary":"Assign Roles","description":"Assign or update a user's roles for a specific app.\n\nRequires platform admin or admin role on the target app.","operationId":"assign_roles_admin_users_roles_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/UserRoleAssign"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/suspend":{"post":{"tags":["admin"],"summary":"Suspend User","description":"Suspend a user from a specific app. Revokes all their refresh tokens.","operationId":"suspend_user_admin_users__user_id__suspend_post","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}},{"name":"app_id","in":"query","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/password":{"put":{"tags":["admin"],"summary":"Change User Password","description":"Change a user's password (platform admin only).","operationId":"change_user_password_admin_users__user_id__password_put","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PasswordChangeRequest"}}}},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/me/password":{"put":{"tags":["admin"],"summary":"Change Own Password","description":"Change your own password (requires current password).","operationId":"change_own_password_admin_me_password_put","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SelfPasswordChangeRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/promote":{"put":{"tags":["admin"],"summary":"Toggle Platform Admin","description":"Toggle platform admin status for a user.","operationId":"toggle_platform_admin_admin_users__user_id__promote_put","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/impact":{"get":{"tags":["admin"],"summary":"Get User Impact","description":"Pre-delete impact summary: shows what will be affected by deleting this user.","operationId":"get_user_impact_admin_users__user_id__impact_get","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}":{"delete":{"tags":["admin"],"summary":"Delete User","description":"Delete a user and cascade all related records. Platform admin only.","operationId":"delete_user_admin_users__user_id__delete","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/apps/{app_id}":{"delete":{"tags":["admin"],"summary":"Unenroll User","description":"Remove a user from an app entirely.","operationId":"unenroll_user_admin_users__user_id__apps__app_id__delete","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}},{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/apps/{app_id}/approve":{"put":{"tags":["admin"],"summary":"Approve User","description":"Approve a pending user for an app. Sends approval notification email.","operationId":"approve_user_admin_users__user_id__apps__app_id__approve_put","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}},{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/apps/{app_id}/deny":{"delete":{"tags":["admin"],"summary":"Deny User","description":"Deny a pending user — removes their enrollment entirely.","operationId":"deny_user_admin_users__user_id__apps__app_id__deny_delete","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}},{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/apps/{app_id}/reactivate":{"put":{"tags":["admin"],"summary":"Reactivate User","description":"Reactivate a suspended user in an app.","operationId":"reactivate_user_admin_users__user_id__apps__app_id__reactivate_put","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}},{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/apps/{app_id}/secret":{"put":{"tags":["admin"],"summary":"Regenerate Secret","description":"Regenerate an app's client secret. Returns the new secret (shown once).","operationId":"regenerate_secret_admin_apps__app_id__secret_put","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/invites":{"post":{"tags":["admin"],"summary":"Create Invite","description":"Create an invite code for an app.\n\nAccepts either:\n- User JWT (admin/manager on the target app)\n- Service JWT with `invites:create` scope (app can only invite for itself)","operationId":"create_invite_admin_invites_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/InviteCreateRequest"}}},"required":true},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/InviteOut"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/invites/{invite_id}":{"delete":{"tags":["admin"],"summary":"Revoke Invite","description":"Revoke an invite code by setting max_uses = use_count (exhausting it).","operationId":"revoke_invite_admin_invites__invite_id__delete","parameters":[{"name":"invite_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Invite Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/invites/{invite_id}/resend":{"post":{"tags":["admin"],"summary":"Resend Invite","description":"Resend an invite — revokes old invite, creates new one, emails it.","operationId":"resend_invite_admin_invites__invite_id__resend_post","parameters":[{"name":"invite_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Invite Id"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/InviteResendRequest"}}}},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/tenants/{tenant_id}/admins":{"get":{"tags":["admin"],"summary":"List Tenant Admins","description":"List all tenant admins (enrolled in the tenant's Console app).","operationId":"list_tenant_admins_admin_tenants__tenant_id__admins_get","parameters":[{"name":"tenant_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Tenant Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}},"post":{"tags":["admin"],"summary":"Assign Tenant Admin","description":"Assign a user as tenant admin by enrolling them in the tenant Console app.","operationId":"assign_tenant_admin_admin_tenants__tenant_id__admins_post","parameters":[{"name":"tenant_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Tenant Id"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TenantAdminAssign"}}}},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/tenants/{tenant_id}/admins/{user_id}":{"delete":{"tags":["admin"],"summary":"Revoke Tenant Admin","description":"Revoke tenant admin by removing from tenant Console app.","operationId":"revoke_tenant_admin_admin_tenants__tenant_id__admins__user_id__delete","parameters":[{"name":"tenant_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Tenant Id"}},{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/audit":{"get":{"tags":["admin"],"summary":"Get Audit Log","operationId":"get_audit_log_admin_audit_get","parameters":[{"name":"tenant_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"Tenant Id"}},{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}},{"name":"user_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"User Id"}},{"name":"limit","in":"query","required":false,"schema":{"type":"integer","default":50,"title":"Limit"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/rate-limits":{"get":{"tags":["admin"],"summary":"Get User Rate Limits","description":"Check current rate limit status for a user (platform admin only).","operationId":"get_user_rate_limits_admin_users__user_id__rate_limits_get","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/users/{user_id}/rate-limits/clear":{"post":{"tags":["admin"],"summary":"Clear User Rate Limits","description":"Clear all rate limits for a user (platform admin only).","operationId":"clear_user_rate_limits_admin_users__user_id__rate_limits_clear_post","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/apps/{app_id}/export":{"get":{"tags":["admin"],"summary":"Export App","description":"Export an app's configuration as JSON.\n\nAccess: platform admin (any app), tenant admin (apps in their tenant),\nor app admin/manager (their own app).","operationId":"export_app_admin_apps__app_id__export_get","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}},{"name":"include_users","in":"query","required":false,"schema":{"type":"boolean","default":false,"title":"Include Users"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/tenants/{tenant_id}/export":{"get":{"tags":["admin"],"summary":"Export Tenant","description":"Export a tenant and all its apps as JSON. Requires platform admin or tenant admin.","operationId":"export_tenant_admin_tenants__tenant_id__export_get","parameters":[{"name":"tenant_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Tenant Id"}},{"name":"include_users","in":"query","required":false,"schema":{"type":"boolean","default":false,"title":"Include Users"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/apps/import":{"post":{"tags":["admin"],"summary":"Import App","description":"Import an app from exported JSON into a tenant.","operationId":"import_app_admin_apps_import_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ImportAppRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/tenants/import":{"post":{"tags":["admin"],"summary":"Import Tenant","description":"Import a tenant and its apps from exported JSON.","operationId":"import_tenant_admin_tenants_import_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ImportTenantRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/login":{"get":{"tags":["console"],"summary":"Console Login","description":"Console login via SSO session.\n\nIf the user has a valid km_sso cookie, issue a Console JWT and redirect\nto the dashboard. No app enrollment needed — role checks happen after.\nIf no SSO session, redirect to the platform Console app login page to\nauthenticate, which creates an SSO session and bounces back here.","operationId":"console_login_console_login_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/console/callback":{"get":{"tags":["console"],"summary":"Console Callback","description":"Legacy callback — redirect to SSO-based login.","operationId":"console_callback_console_callback_get","parameters":[{"name":"access_token","in":"query","required":false,"schema":{"type":"string","default":"","title":"Access Token"}},{"name":"refresh_token","in":"query","required":false,"schema":{"type":"string","default":"","title":"Refresh Token"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/logout":{"get":{"tags":["console"],"summary":"Console Logout","operationId":"console_logout_console_logout_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/console/impersonate/{tenant_id}":{"get":{"tags":["console"],"summary":"Console Impersonate Enter","description":"Enter tenant impersonation mode (platform admin only).","operationId":"console_impersonate_enter_console_impersonate__tenant_id__get","parameters":[{"name":"tenant_id","in":"path","required":true,"schema":{"type":"string","title":"Tenant Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/impersonate-exit":{"get":{"tags":["console"],"summary":"Console Impersonate Exit","description":"Exit tenant impersonation mode.","operationId":"console_impersonate_exit_console_impersonate_exit_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/console/impersonate-app/{app_id}":{"get":{"tags":["console"],"summary":"Console Impersonate App Enter","description":"Enter app impersonation mode (tenant admin or platform admin only).\n\nLets a tenant admin view an app as if they were an app admin.\nConsole-only — no SSO tokens issued.","operationId":"console_impersonate_app_enter_console_impersonate_app__app_id__get","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/impersonate-app-exit":{"get":{"tags":["console"],"summary":"Console Impersonate App Exit","description":"Exit app impersonation mode — return to tenant admin view.","operationId":"console_impersonate_app_exit_console_impersonate_app_exit_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/console/pick-tenant":{"get":{"tags":["console"],"summary":"Console Pick Tenant","description":"Show tenant picker for users who are admin on multiple tenants.","operationId":"console_pick_tenant_console_pick_tenant_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/console/select-tenant/{tenant_id}":{"get":{"tags":["console"],"summary":"Console Select Tenant","description":"Select a tenant context (for multi-tenant users). Sets active tenant cookie.","operationId":"console_select_tenant_console_select_tenant__tenant_id__get","parameters":[{"name":"tenant_id","in":"path","required":true,"schema":{"type":"string","title":"Tenant Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/":{"get":{"tags":["console"],"summary":"Console Dashboard","operationId":"console_dashboard_console__get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/console/tenant":{"get":{"tags":["console"],"summary":"Console Tenant Dashboard","description":"Tenant admin's home page — tenant details, admins, activity.","operationId":"console_tenant_dashboard_console_tenant_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/console/apps":{"get":{"tags":["console"],"summary":"Console Apps","operationId":"console_apps_console_apps_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/console/apps/{app_id}":{"get":{"tags":["console"],"summary":"Console App Detail","operationId":"console_app_detail_console_apps__app_id__get","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/my-apps":{"get":{"tags":["console"],"summary":"Console My Apps","description":"Show apps where the current user has an admin role.\n\nThis is the entry point for app-level admins who may not be platform admins.","operationId":"console_my_apps_console_my_apps_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/console/users":{"get":{"tags":["console"],"summary":"Console Users","operationId":"console_users_console_users_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/console/users/{user_id}":{"get":{"tags":["console"],"summary":"Console User Detail","operationId":"console_user_detail_console_users__user_id__get","parameters":[{"name":"user_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"User Id"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/export/app/{app_id}":{"get":{"tags":["console"],"summary":"Console Export App","description":"Export app config as downloadable JSON file.","operationId":"console_export_app_console_export_app__app_id__get","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/export/tenant/{tenant_id}":{"get":{"tags":["console"],"summary":"Console Export Tenant","description":"Export tenant + all apps as downloadable JSON file.","operationId":"console_export_tenant_console_export_tenant__tenant_id__get","parameters":[{"name":"tenant_id","in":"path","required":true,"schema":{"type":"string","title":"Tenant Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/audit":{"get":{"tags":["console"],"summary":"Console Audit","operationId":"console_audit_console_audit_get","parameters":[{"name":"page","in":"query","required":false,"schema":{"type":"integer","default":1,"title":"Page"}},{"name":"per_page","in":"query","required":false,"schema":{"type":"integer","default":50,"title":"Per Page"}},{"name":"app_filter","in":"query","required":false,"schema":{"type":"string","default":"","title":"App Filter"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/audit-log":{"get":{"tags":["console"],"summary":"Console Audit Log","description":"Audit log viewer with filtering and pagination.","operationId":"console_audit_log_console_audit_log_get","parameters":[{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"App Id"}},{"name":"user_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"User Id"}},{"name":"action","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Action"}},{"name":"tenant_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Tenant Id"}},{"name":"page","in":"query","required":false,"schema":{"type":"integer","default":1,"title":"Page"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/account":{"get":{"tags":["console"],"summary":"Console Account","operationId":"console_account_console_account_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/console/tenants":{"get":{"tags":["console"],"summary":"Console Tenants","operationId":"console_tenants_console_tenants_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/console/tenants/{tenant_id}":{"get":{"tags":["console"],"summary":"Console Tenant Detail","operationId":"console_tenant_detail_console_tenants__tenant_id__get","parameters":[{"name":"tenant_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Tenant Id"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/help":{"get":{"tags":["console"],"summary":"Console Help","description":"Help center — searchable, role-scoped documentation.","operationId":"console_help_console_help_get","parameters":[{"name":"q","in":"query","required":false,"schema":{"type":"string","default":"","title":"Q"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/console/help/{category}/{slug}":{"get":{"tags":["console"],"summary":"Console Help Article","description":"View a single help article.","operationId":"console_help_article_console_help__category___slug__get","parameters":[{"name":"category","in":"path","required":true,"schema":{"type":"string","title":"Category"}},{"name":"slug","in":"path","required":true,"schema":{"type":"string","title":"Slug"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/invite-accept":{"post":{"tags":["oauth"],"summary":"Oauth Invite Accept","description":"Accept an invite code using a pending OAuth identity.\n\nThis handles the case where a user authenticated via OAuth but isn't enrolled\nin an invite-only app. The OAuth identity was stashed; now they provide the\ninvite code to complete enrollment.","operationId":"oauth_invite_accept_oauth_invite_accept_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/OAuthInviteAcceptRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/google/start":{"get":{"tags":["oauth"],"summary":"Google Start","description":"Initiate Google OAuth flow — redirects user to Google consent screen.\n\nOptional params for silent re-auth:\n- prompt=none: attempt silent auth (no UI). Google returns error if no session.\n- login_hint: pre-select the Google account (email address).","operationId":"google_start_oauth_google_start_get","parameters":[{"name":"app_id","in":"query","required":true,"schema":{"type":"string","title":"App Id"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}},{"name":"login_hint","in":"query","required":false,"schema":{"type":"string","default":"","title":"Login Hint"}},{"name":"prompt","in":"query","required":false,"schema":{"type":"string","default":"","title":"Prompt"}},{"name":"invite_code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Invite Code"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/google/callback":{"get":{"tags":["oauth"],"summary":"Google Callback","description":"Handle Google OAuth callback — exchange code, find/create user, issue tokens.","operationId":"google_callback_oauth_google_callback_get","parameters":[{"name":"code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Code"}},{"name":"state","in":"query","required":false,"schema":{"type":"string","default":"","title":"State"}},{"name":"error","in":"query","required":false,"schema":{"type":"string","default":"","title":"Error"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/github/start":{"get":{"tags":["oauth"],"summary":"Github Start","description":"Initiate GitHub OAuth flow — redirects user to GitHub authorization.","operationId":"github_start_oauth_github_start_get","parameters":[{"name":"app_id","in":"query","required":true,"schema":{"type":"string","title":"App Id"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}},{"name":"invite_code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Invite Code"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/github/callback":{"get":{"tags":["oauth"],"summary":"Github Callback","description":"Handle GitHub OAuth callback — exchange code, find/create user, issue tokens.","operationId":"github_callback_oauth_github_callback_get","parameters":[{"name":"code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Code"}},{"name":"state","in":"query","required":false,"schema":{"type":"string","default":"","title":"State"}},{"name":"error","in":"query","required":false,"schema":{"type":"string","default":"","title":"Error"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/microsoft/start":{"get":{"tags":["oauth"],"summary":"Microsoft Start","description":"Initiate Microsoft OAuth flow — redirects user to Azure AD consent screen.","operationId":"microsoft_start_oauth_microsoft_start_get","parameters":[{"name":"app_id","in":"query","required":true,"schema":{"type":"string","title":"App Id"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}},{"name":"invite_code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Invite Code"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/microsoft/callback":{"get":{"tags":["oauth"],"summary":"Microsoft Callback","description":"Handle Microsoft OAuth callback — exchange code, find/create user, issue tokens.","operationId":"microsoft_callback_oauth_microsoft_callback_get","parameters":[{"name":"code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Code"}},{"name":"state","in":"query","required":false,"schema":{"type":"string","default":"","title":"State"}},{"name":"error","in":"query","required":false,"schema":{"type":"string","default":"","title":"Error"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/apple/start":{"get":{"tags":["oauth"],"summary":"Apple Start","description":"Initiate Apple Sign-In flow — redirects user to Apple's authorization page.","operationId":"apple_start_oauth_apple_start_get","parameters":[{"name":"app_id","in":"query","required":true,"schema":{"type":"string","title":"App Id"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}},{"name":"invite_code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Invite Code"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/apple/callback":{"post":{"tags":["oauth"],"summary":"Apple Callback Post","description":"Handle Apple Sign-In callback (form_post — Apple's required response mode).","operationId":"apple_callback_post_oauth_apple_callback_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}},"get":{"tags":["oauth"],"summary":"Apple Callback Get","description":"Handle Apple Sign-In callback via GET (fallback — Apple uses form_post).","operationId":"apple_callback_get_oauth_apple_callback_get","parameters":[{"name":"code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Code"}},{"name":"id_token","in":"query","required":false,"schema":{"type":"string","default":"","title":"Id Token"}},{"name":"state","in":"query","required":false,"schema":{"type":"string","default":"","title":"State"}},{"name":"error","in":"query","required":false,"schema":{"type":"string","default":"","title":"Error"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/oauth/link/google":{"get":{"tags":["oauth"],"summary":"Link Google Start","description":"Start Google OAuth flow to link to current user's account.","operationId":"link_google_start_oauth_link_google_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/oauth/link/github":{"get":{"tags":["oauth"],"summary":"Link Github Start","description":"Start GitHub OAuth flow to link to current user's account.","operationId":"link_github_start_oauth_link_github_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/oauth/link/microsoft":{"get":{"tags":["oauth"],"summary":"Link Microsoft Start","description":"Start Microsoft OAuth flow to link to current user's account.","operationId":"link_microsoft_start_oauth_link_microsoft_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/oauth/link/apple":{"get":{"tags":["oauth"],"summary":"Link Apple Start","description":"Start Apple Sign-In flow to link to current user's account.","operationId":"link_apple_start_oauth_link_apple_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/oauth/request-access":{"post":{"tags":["oauth"],"summary":"Oauth Request Access","description":"Create a new user from a pending OAuth identity and submit a pending enrollment.\n\nUsed on the link-account page when the user doesn't have existing Keymaster\ncredentials and the app uses the approval registration policy.","operationId":"oauth_request_access_oauth_request_access_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/oauth/link/confirm":{"post":{"tags":["oauth"],"summary":"Confirm Link","description":"Confirm cross-email link by providing existing account credentials.","operationId":"confirm_link_oauth_link_confirm_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/oauth/link/{linked_id}":{"delete":{"tags":["oauth"],"summary":"Unlink Account","description":"Remove a linked OAuth account from the current user.","operationId":"unlink_account_oauth_link__linked_id__delete","parameters":[{"name":"linked_id","in":"path","required":true,"schema":{"type":"string","title":"Linked Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/account/totp/setup":{"post":{"tags":["account-totp"],"summary":"Totp Setup","description":"Generate a new TOTP secret + QR code + backup codes.\n\nStores an unconfirmed TotpDevice (replaces any existing unconfirmed one).\nReturns the QR data URI and list of backup codes for the user to record.","operationId":"totp_setup_account_totp_setup_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/account/totp/confirm":{"post":{"tags":["account-totp"],"summary":"Totp Confirm","description":"Confirm a TOTP setup by verifying a code from the authenticator app.\n\nSets confirmed=True on the TotpDevice. Backup codes were already stored in setup.","operationId":"totp_confirm_account_totp_confirm_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TotpConfirmRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/account/totp/disable":{"post":{"tags":["account-totp"],"summary":"Totp Disable","description":"Disable 2FA after password confirmation. Removes TotpDevice and BackupCodes.","operationId":"totp_disable_account_totp_disable_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/TotpDisableRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/account/totp/status":{"get":{"tags":["account-totp"],"summary":"Totp Status","description":"Return 2FA enrollment status for the authenticated user.","operationId":"totp_status_account_totp_status_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/admin/apps/{app_id}/webhooks":{"post":{"tags":["admin-webhooks"],"summary":"Register Webhook","description":"Register a new webhook endpoint for an app.","operationId":"register_webhook_admin_apps__app_id__webhooks_post","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/WebhookCreate"}}}},"responses":{"201":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}},"get":{"tags":["admin-webhooks"],"summary":"List Webhooks","description":"List all webhook endpoints for an app.","operationId":"list_webhooks_admin_apps__app_id__webhooks_get","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/apps/{app_id}/webhooks/{webhook_id}":{"delete":{"tags":["admin-webhooks"],"summary":"Delete Webhook","description":"Remove a webhook endpoint.","operationId":"delete_webhook_admin_apps__app_id__webhooks__webhook_id__delete","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}},{"name":"webhook_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Webhook Id"}}],"responses":{"204":{"description":"Successful Response"},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/apps/{app_id}/webhooks/{webhook_id}/test":{"post":{"tags":["admin-webhooks"],"summary":"Test Webhook","description":"Fire a test ping event to a webhook endpoint.","operationId":"test_webhook_admin_apps__app_id__webhooks__webhook_id__test_post","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}},{"name":"webhook_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Webhook Id"}}],"responses":{"202":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/apps/{app_id}/webhooks/{webhook_id}/deliveries":{"get":{"tags":["admin-webhooks"],"summary":"List Deliveries","description":"List recent delivery attempts for a webhook endpoint.","operationId":"list_deliveries_admin_apps__app_id__webhooks__webhook_id__deliveries_get","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}},{"name":"webhook_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Webhook Id"}},{"name":"limit","in":"query","required":false,"schema":{"type":"integer","default":50,"title":"Limit"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/onboarding/request":{"post":{"tags":["onboarding"],"summary":"Submit Onboarding Request","operationId":"submit_onboarding_request_onboarding_request_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/OnboardingRequestBody"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/onboarding":{"get":{"tags":["onboarding"],"summary":"List Onboarding Requests","operationId":"list_onboarding_requests_admin_onboarding_get","parameters":[{"name":"status","in":"query","required":false,"schema":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Status"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"type":"array","items":{"$ref":"#/components/schemas/OnboardingRequestOut"},"title":"Response List Onboarding Requests Admin Onboarding Get"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/onboarding/{request_id}":{"get":{"tags":["onboarding"],"summary":"Get Onboarding Request","operationId":"get_onboarding_request_admin_onboarding__request_id__get","parameters":[{"name":"request_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Request Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{"$ref":"#/components/schemas/OnboardingRequestOut"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/onboarding/{request_id}/approve":{"post":{"tags":["onboarding"],"summary":"Approve Onboarding Request","operationId":"approve_onboarding_request_admin_onboarding__request_id__approve_post","parameters":[{"name":"request_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Request Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/admin/onboarding/{request_id}/reject":{"post":{"tags":["onboarding"],"summary":"Reject Onboarding Request","operationId":"reject_onboarding_request_admin_onboarding__request_id__reject_post","parameters":[{"name":"request_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Request Id"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/RejectBody"}}}},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/push/devices/register":{"post":{"tags":["push"],"summary":"Register Device","description":"Register a device for push notifications.\n\nDeduplicates on (app_id, token_hash). Re-registration updates last_seen_at.","operationId":"register_device_push_devices_register_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/DeviceRegisterRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/push/devices/{device_id}":{"delete":{"tags":["push"],"summary":"Unregister Device","description":"Unregister a device. User JWT or service JWT (push:send) accepted.","operationId":"unregister_device_push_devices__device_id__delete","parameters":[{"name":"device_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Device Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/push/send":{"post":{"tags":["push"],"summary":"Send Notification","description":"Send a push notification to a single user (all their devices).","operationId":"send_notification_push_send_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SendRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/push/send/bulk":{"post":{"tags":["push"],"summary":"Send Bulk","description":"Send the same notification to multiple users.\n\nValidates inputs synchronously, dispatches in the background.\nReturns a batch_id immediately — results arrive via webhook receipts.","operationId":"send_bulk_push_send_bulk_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BulkSendRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/push/send/batch":{"post":{"tags":["push"],"summary":"Send Batch","description":"Send individual notifications to multiple users in one request.\n\nValidates inputs synchronously, dispatches in the background.\nReturns a batch_id immediately — results arrive via webhook receipts.","operationId":"send_batch_push_send_batch_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/BatchSendRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/push/config/{app_id}":{"patch":{"tags":["push"],"summary":"Update Push Config","description":"Enable/disable push notifications for an app and configure webhook/quota.\n\nRequires platform admin, tenant admin, or app admin.\nRequires platform-level PUSH_ENABLED.","operationId":"update_push_config_push_config__app_id__patch","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"requestBody":{"required":true,"content":{"application/json":{"schema":{"$ref":"#/components/schemas/PushConfigRequest"}}}},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}},"get":{"tags":["push"],"summary":"Get Push Config","description":"Get push notification config for an app.","operationId":"get_push_config_push_config__app_id__get","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/push/devices/{app_id}":{"get":{"tags":["push"],"summary":"List Devices","description":"List registered push devices for an app. Admin only.","operationId":"list_devices_push_devices__app_id__get","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/docs/":{"get":{"summary":"Docs Index","description":"Public SDK documentation — index page.","operationId":"docs_index_docs__get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/docs":{"get":{"summary":"Docs Index","description":"Public SDK documentation — index page.","operationId":"docs_index_docs_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/docs/{path}":{"get":{"summary":"Docs Page","description":"Public SDK documentation — individual page.","operationId":"docs_page_docs__path__get","parameters":[{"name":"path","in":"path","required":true,"schema":{"type":"string","title":"Path"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/llms.txt":{"get":{"summary":"Llms Txt","description":"LLM-digestible plaintext of all SDK documentation.","operationId":"llms_txt_llms_txt_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/llms-full.txt":{"get":{"summary":"Llms Full Txt","description":"Extended LLM-digestible format (same content, alias for compatibility).","operationId":"llms_full_txt_llms_full_txt_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/login":{"get":{"summary":"Login Page","description":"Render the login page, branded per app if app_id is provided.\n\nSSO fast path: if the user has a valid km_sso session and is enrolled\nin the requested app, issue tokens and redirect immediately.","operationId":"login_page_login_get","parameters":[{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}},{"name":"prompt","in":"query","required":false,"schema":{"type":"string","default":"","title":"Prompt"}},{"name":"error","in":"query","required":false,"schema":{"type":"string","default":"","title":"Error"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/totp-challenge":{"get":{"summary":"Totp Challenge Page","description":"Render the TOTP / 2FA challenge page.","operationId":"totp_challenge_page_totp_challenge_get","parameters":[{"name":"totp_session","in":"query","required":false,"schema":{"type":"string","default":"","title":"Totp Session"}},{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/register":{"get":{"summary":"Register Page","description":"Render the registration page for invite code redemption.","operationId":"register_page_register_get","parameters":[{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}},{"name":"invite_code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Invite Code"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/invite/accept":{"get":{"summary":"Invite Accept Page","description":"Render the invite acceptance page. Detects existing vs new user.","operationId":"invite_accept_page_invite_accept_get","parameters":[{"name":"code","in":"query","required":false,"schema":{"type":"string","default":"","title":"Code"}},{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/account/login":{"get":{"summary":"Account Login","description":"Account login via SSO session — no app enrollment required.\n\nIf the user has a valid km_sso cookie, issue an Account JWT and redirect\nto /account. If no SSO session, redirect to the platform Console app\nlogin page to authenticate, then bounce back.","operationId":"account_login_account_login_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/account/callback":{"get":{"summary":"Account Callback","description":"Legacy callback — redirect to SSO-based account login.","operationId":"account_callback_account_callback_get","parameters":[{"name":"access_token","in":"query","required":false,"schema":{"type":"string","default":"","title":"Access Token"}},{"name":"refresh_token","in":"query","required":false,"schema":{"type":"string","default":"","title":"Refresh Token"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/assets/app/{app_id}/logo":{"get":{"summary":"App Logo","description":"Serve an app's uploaded logo as an image. No auth required.","operationId":"app_logo_assets_app__app_id__logo_get","parameters":[{"name":"app_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/account/logout":{"get":{"summary":"Account Logout","operationId":"account_logout_account_logout_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/sso/logout":{"get":{"summary":"Sso Logout","description":"App-scoped logout with branded page. SSO session is preserved by default.\n\nParams:\n    app_id: App UUID — loads branding for the logout page\n    post_logout_redirect_uri: \"Return to app\" link\n    full: If \"1\" or \"true\", revokes the SSO session entirely (all apps)","operationId":"sso_logout_sso_logout_get","parameters":[{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}},{"name":"post_logout_redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Post Logout Redirect Uri"}},{"name":"app_id","in":"query","required":false,"schema":{"type":"string","default":"","title":"App Id"}},{"name":"full","in":"query","required":false,"schema":{"type":"string","default":"","title":"Full"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/account":{"get":{"summary":"Account Page","description":"Render the self-service account page for any authenticated Keymaster user.","operationId":"account_page_account_get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}},"/account/change-password":{"post":{"summary":"Account Change Password","description":"Change the authenticated user's password and revoke all SSO sessions.","operationId":"account_change_password_account_change_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/ChangePasswordRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/account/set-password":{"post":{"summary":"Account Set Password","description":"Set a password on a passwordless account (OAuth-only users).","operationId":"account_set_password_account_set_password_post","requestBody":{"content":{"application/json":{"schema":{"$ref":"#/components/schemas/SetPasswordRequest"}}},"required":true},"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/account/sessions/{session_id}/revoke":{"post":{"summary":"Revoke Account Session","description":"Revoke a specific SSO session from the Account page.","operationId":"revoke_account_session_account_sessions__session_id__revoke_post","parameters":[{"name":"session_id","in":"path","required":true,"schema":{"type":"string","format":"uuid","title":"Session Id"}}],"responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/account/sessions/revoke-all":{"post":{"summary":"Revoke All Other Sessions","description":"Revoke all SSO sessions except the current one.","operationId":"revoke_all_other_sessions_account_sessions_revoke_all_post","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/link-account":{"get":{"summary":"Link Account Page","description":"Render the account linking page for cross-email OAuth flows.","operationId":"link_account_page_link_account_get","parameters":[{"name":"provider","in":"query","required":false,"schema":{"type":"string","default":"","title":"Provider"}},{"name":"provider_email","in":"query","required":false,"schema":{"type":"string","default":"","title":"Provider Email"}},{"name":"link_token","in":"query","required":false,"schema":{"type":"string","default":"","title":"Link Token"}},{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/forgot-password":{"get":{"summary":"Forgot Password Page","description":"Render the forgot password page.","operationId":"forgot_password_page_forgot_password_get","parameters":[{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}},{"name":"redirect_uri","in":"query","required":false,"schema":{"type":"string","default":"","title":"Redirect Uri"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/reset-password":{"get":{"summary":"Reset Password Page","description":"Render the password reset page.","operationId":"reset_password_page_reset_password_get","parameters":[{"name":"token","in":"query","required":false,"schema":{"type":"string","default":"","title":"Token"}},{"name":"app_id","in":"query","required":false,"schema":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}}],"responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}},"422":{"description":"Validation Error","content":{"application/json":{"schema":{"$ref":"#/components/schemas/HTTPValidationError"}}}}}}},"/health":{"get":{"summary":"Health","description":"Returns service health: DB connectivity, RSA key readability, uptime, version.\nstatus is \"ok\" if all checks pass, \"degraded\" if any fail.","operationId":"health_health_get","responses":{"200":{"description":"Successful Response","content":{"application/json":{"schema":{}}}}}}},"/":{"get":{"summary":"Root","operationId":"root__get","responses":{"200":{"description":"Successful Response","content":{"text/html":{"schema":{"type":"string"}}}}}}}},"components":{"schemas":{"AcceptInviteRequest":{"properties":{"invite_code":{"type":"string","title":"Invite Code"},"app_id":{"type":"string","format":"uuid","title":"App Id"},"email":{"anyOf":[{"type":"string","format":"email"},{"type":"null"}],"title":"Email"},"display_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Display Name"},"password":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Password"}},"type":"object","required":["invite_code","app_id"],"title":"AcceptInviteRequest"},"AppCreate":{"properties":{"tenant_id":{"type":"string","format":"uuid","title":"Tenant Id"},"name":{"type":"string","title":"Name"},"bundle_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Bundle Id"},"registration_policy":{"type":"string","title":"Registration Policy","default":"invite"},"config":{"additionalProperties":true,"type":"object","title":"Config","default":{}}},"type":"object","required":["tenant_id","name"],"title":"AppCreate"},"AppCreatedOut":{"properties":{"id":{"type":"string","format":"uuid","title":"Id"},"tenant_id":{"type":"string","format":"uuid","title":"Tenant Id"},"name":{"type":"string","title":"Name"},"bundle_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Bundle Id"},"registration_policy":{"type":"string","title":"Registration Policy"},"config":{"additionalProperties":true,"type":"object","title":"Config"},"is_active":{"type":"boolean","title":"Is Active"},"client_secret":{"type":"string","title":"Client Secret"}},"type":"object","required":["id","tenant_id","name","bundle_id","registration_policy","config","is_active","client_secret"],"title":"AppCreatedOut"},"AppOut":{"properties":{"id":{"type":"string","format":"uuid","title":"Id"},"tenant_id":{"type":"string","format":"uuid","title":"Tenant Id"},"name":{"type":"string","title":"Name"},"bundle_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Bundle Id"},"registration_policy":{"type":"string","title":"Registration Policy"},"config":{"additionalProperties":true,"type":"object","title":"Config"},"is_active":{"type":"boolean","title":"Is Active"}},"type":"object","required":["id","tenant_id","name","bundle_id","registration_policy","config","is_active"],"title":"AppOut"},"BatchNotification":{"properties":{"user_id":{"type":"string","format":"uuid","title":"User Id"},"title":{"type":"string","title":"Title"},"body":{"type":"string","title":"Body"},"data":{"anyOf":[{"additionalProperties":true,"type":"object"},{"type":"null"}],"title":"Data"},"ttl":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Ttl"}},"type":"object","required":["user_id","title","body"],"title":"BatchNotification"},"BatchSendRequest":{"properties":{"notifications":{"items":{"$ref":"#/components/schemas/BatchNotification"},"type":"array","title":"Notifications"}},"type":"object","required":["notifications"],"title":"BatchSendRequest"},"Body_upload_app_logo_admin_apps__app_id__logo_post":{"properties":{"file":{"type":"string","format":"binary","title":"File"}},"type":"object","required":["file"],"title":"Body_upload_app_logo_admin_apps__app_id__logo_post"},"BulkSendRequest":{"properties":{"user_ids":{"items":{"type":"string","format":"uuid"},"type":"array","title":"User Ids"},"title":{"type":"string","title":"Title"},"body":{"type":"string","title":"Body"},"data":{"anyOf":[{"additionalProperties":true,"type":"object"},{"type":"null"}],"title":"Data"},"ttl":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Ttl"}},"type":"object","required":["user_ids","title","body"],"title":"BulkSendRequest"},"ChangePasswordRequest":{"properties":{"current_password":{"type":"string","title":"Current Password"},"new_password":{"type":"string","title":"New Password"}},"type":"object","required":["current_password","new_password"],"title":"ChangePasswordRequest"},"DeviceRegisterRequest":{"properties":{"app_id":{"type":"string","format":"uuid","title":"App Id"},"platform":{"type":"string","title":"Platform"},"push_token":{"type":"string","title":"Push Token"}},"type":"object","required":["app_id","platform","push_token"],"title":"DeviceRegisterRequest"},"ForgotPasswordRequest":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"app_id":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}},"type":"object","required":["email"],"title":"ForgotPasswordRequest"},"HTTPValidationError":{"properties":{"detail":{"items":{"$ref":"#/components/schemas/ValidationError"},"type":"array","title":"Detail"}},"type":"object","title":"HTTPValidationError"},"ImportAppRequest":{"properties":{"tenant_id":{"type":"string","format":"uuid","title":"Tenant Id"},"app":{"additionalProperties":true,"type":"object","title":"App"},"preserve_bundle_id":{"type":"boolean","title":"Preserve Bundle Id","default":false}},"type":"object","required":["tenant_id","app"],"title":"ImportAppRequest"},"ImportTenantRequest":{"properties":{"tenant":{"additionalProperties":true,"type":"object","title":"Tenant"},"apps":{"items":{"additionalProperties":true,"type":"object"},"type":"array","title":"Apps","default":[]}},"type":"object","required":["tenant"],"title":"ImportTenantRequest"},"InviteCreateRequest":{"properties":{"app_id":{"type":"string","format":"uuid","title":"App Id"},"roles":{"items":{"type":"string"},"type":"array","title":"Roles","default":[]},"max_uses":{"type":"integer","title":"Max Uses","default":1},"send_to_email":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Send To Email"},"expires_in_days":{"type":"integer","title":"Expires In Days","default":7}},"type":"object","required":["app_id"],"title":"InviteCreateRequest"},"InviteOut":{"properties":{"code":{"type":"string","title":"Code"},"app_id":{"type":"string","format":"uuid","title":"App Id"},"roles":{"items":{"type":"string"},"type":"array","title":"Roles"},"max_uses":{"type":"integer","title":"Max Uses"},"email_sent":{"type":"boolean","title":"Email Sent","default":false}},"type":"object","required":["code","app_id","roles","max_uses"],"title":"InviteOut"},"InviteRedeemRequest":{"properties":{"invite_code":{"type":"string","title":"Invite Code"},"email":{"type":"string","format":"email","title":"Email"},"display_name":{"type":"string","title":"Display Name"},"password":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Password"},"app_id":{"type":"string","format":"uuid","title":"App Id"},"device_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Device Id"}},"type":"object","required":["invite_code","email","display_name","app_id"],"title":"InviteRedeemRequest"},"InviteResendRequest":{"properties":{"email":{"type":"string","title":"Email"}},"type":"object","required":["email"],"title":"InviteResendRequest"},"MagicLinkRequestBody":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"app_id":{"type":"string","title":"App Id"},"redirect_uri":{"type":"string","title":"Redirect Uri"}},"type":"object","required":["email","app_id","redirect_uri"],"title":"MagicLinkRequestBody"},"OAuthInviteAcceptRequest":{"properties":{"oauth_token":{"type":"string","title":"Oauth Token"},"app_id":{"type":"string","title":"App Id"},"invite_code":{"type":"string","title":"Invite Code"},"display_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Display Name"}},"type":"object","required":["oauth_token","app_id","invite_code"],"title":"OAuthInviteAcceptRequest"},"OnboardingRequestBody":{"properties":{"name":{"type":"string","title":"Name"},"admin_email":{"type":"string","title":"Admin Email"},"admin_name":{"type":"string","title":"Admin Name"},"use_case":{"type":"string","title":"Use Case"}},"type":"object","required":["name","admin_email","admin_name","use_case"],"title":"OnboardingRequestBody"},"OnboardingRequestOut":{"properties":{"id":{"type":"string","format":"uuid","title":"Id"},"name":{"type":"string","title":"Name"},"admin_email":{"type":"string","title":"Admin Email"},"admin_name":{"type":"string","title":"Admin Name"},"use_case":{"type":"string","title":"Use Case"},"status":{"type":"string","title":"Status"},"reviewed_by":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"Reviewed By"},"reviewed_at":{"anyOf":[{},{"type":"null"}],"title":"Reviewed At"},"created_at":{"title":"Created At"},"notes":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Notes"},"app_id":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}},"type":"object","required":["id","name","admin_email","admin_name","use_case","status","reviewed_by","reviewed_at","created_at","notes","app_id"],"title":"OnboardingRequestOut"},"PasswordChangeRequest":{"properties":{"new_password":{"type":"string","title":"New Password"}},"type":"object","required":["new_password"],"title":"PasswordChangeRequest"},"PasswordLoginRequest":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"password":{"type":"string","title":"Password"},"app_id":{"type":"string","format":"uuid","title":"App Id"},"device_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Device Id"}},"type":"object","required":["email","password","app_id"],"title":"PasswordLoginRequest"},"PushConfigRequest":{"properties":{"enabled":{"type":"boolean","title":"Enabled","default":false},"webhook_url":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Webhook Url"},"daily_limit":{"type":"integer","title":"Daily Limit","default":10000}},"type":"object","title":"PushConfigRequest"},"RejectBody":{"properties":{"notes":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Notes"}},"type":"object","title":"RejectBody"},"RequestAccessBody":{"properties":{"app_id":{"type":"string","format":"uuid","title":"App Id"}},"type":"object","required":["app_id"],"title":"RequestAccessBody"},"ResetPasswordRequest":{"properties":{"token":{"type":"string","title":"Token"},"password":{"type":"string","title":"Password"}},"type":"object","required":["token","password"],"title":"ResetPasswordRequest"},"SelfPasswordChangeRequest":{"properties":{"current_password":{"type":"string","title":"Current Password"},"new_password":{"type":"string","title":"New Password"}},"type":"object","required":["current_password","new_password"],"title":"SelfPasswordChangeRequest"},"SendRequest":{"properties":{"user_id":{"type":"string","format":"uuid","title":"User Id"},"title":{"type":"string","title":"Title"},"body":{"type":"string","title":"Body"},"data":{"anyOf":[{"additionalProperties":true,"type":"object"},{"type":"null"}],"title":"Data"},"ttl":{"anyOf":[{"type":"integer"},{"type":"null"}],"title":"Ttl"}},"type":"object","required":["user_id","title","body"],"title":"SendRequest"},"SendVerificationRequest":{"properties":{"app_id":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"}},"type":"object","title":"SendVerificationRequest"},"SetPasswordRequest":{"properties":{"new_password":{"type":"string","title":"New Password"}},"type":"object","required":["new_password"],"title":"SetPasswordRequest"},"SignupRequest":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"display_name":{"type":"string","title":"Display Name"},"password":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Password"},"app_id":{"type":"string","format":"uuid","title":"App Id"},"device_id":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Device Id"}},"type":"object","required":["email","display_name","app_id"],"title":"SignupRequest"},"TenantAdminAssign":{"properties":{"email":{"type":"string","format":"email","title":"Email"}},"type":"object","required":["email"],"title":"TenantAdminAssign"},"TenantCreate":{"properties":{"slug":{"type":"string","title":"Slug"},"name":{"type":"string","title":"Name"},"plan":{"type":"string","title":"Plan","default":"free"},"admin_email":{"type":"string","title":"Admin Email"}},"type":"object","required":["slug","name","admin_email"],"title":"TenantCreate"},"TenantOut":{"properties":{"id":{"type":"string","format":"uuid","title":"Id"},"slug":{"type":"string","title":"Slug"},"name":{"type":"string","title":"Name"},"plan":{"type":"string","title":"Plan"},"is_active":{"type":"boolean","title":"Is Active"}},"type":"object","required":["id","slug","name","plan","is_active"],"title":"TenantOut"},"TenantUpdate":{"properties":{"is_active":{"anyOf":[{"type":"boolean"},{"type":"null"}],"title":"Is Active"},"name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Name"},"plan":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Plan"}},"type":"object","title":"TenantUpdate"},"TokenRefreshRequest":{"properties":{"refresh_token":{"type":"string","title":"Refresh Token"},"app_id":{"type":"string","format":"uuid","title":"App Id"}},"type":"object","required":["refresh_token","app_id"],"title":"TokenRefreshRequest"},"TokenResponse":{"properties":{"access_token":{"type":"string","title":"Access Token"},"refresh_token":{"type":"string","title":"Refresh Token"},"token_type":{"type":"string","title":"Token Type","default":"Bearer"},"expires_in":{"type":"integer","title":"Expires In"}},"type":"object","required":["access_token","refresh_token","expires_in"],"title":"TokenResponse"},"TokenRevokeRequest":{"properties":{"refresh_token":{"type":"string","title":"Refresh Token"}},"type":"object","required":["refresh_token"],"title":"TokenRevokeRequest"},"TokenVerifyRequest":{"properties":{"token":{"type":"string","title":"Token"},"audience":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Audience"}},"type":"object","required":["token"],"title":"TokenVerifyRequest"},"TotpConfirmRequest":{"properties":{"code":{"type":"string","title":"Code"}},"type":"object","required":["code"],"title":"TotpConfirmRequest"},"TotpDisableRequest":{"properties":{"password":{"type":"string","title":"Password"}},"type":"object","required":["password"],"title":"TotpDisableRequest"},"TotpVerifyRequest":{"properties":{"totp_session":{"type":"string","title":"Totp Session"},"code":{"type":"string","title":"Code"},"app_id":{"anyOf":[{"type":"string","format":"uuid"},{"type":"null"}],"title":"App Id"},"use_backup":{"type":"boolean","title":"Use Backup","default":false}},"type":"object","required":["totp_session","code"],"title":"TotpVerifyRequest"},"UserCreate":{"properties":{"email":{"type":"string","format":"email","title":"Email"},"display_name":{"type":"string","title":"Display Name"},"password":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Password"},"is_platform_admin":{"type":"boolean","title":"Is Platform Admin","default":false}},"type":"object","required":["email","display_name"],"title":"UserCreate"},"UserOut":{"properties":{"id":{"type":"string","format":"uuid","title":"Id"},"email":{"type":"string","title":"Email"},"display_name":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Display Name"},"email_verified":{"type":"boolean","title":"Email Verified"},"is_platform_admin":{"type":"boolean","title":"Is Platform Admin"}},"type":"object","required":["id","email","display_name","email_verified","is_platform_admin"],"title":"UserOut"},"UserRoleAssign":{"properties":{"user_id":{"type":"string","format":"uuid","title":"User Id"},"app_id":{"type":"string","format":"uuid","title":"App Id"},"roles":{"items":{"type":"string"},"type":"array","title":"Roles"}},"type":"object","required":["user_id","app_id","roles"],"title":"UserRoleAssign"},"ValidationError":{"properties":{"loc":{"items":{"anyOf":[{"type":"string"},{"type":"integer"}]},"type":"array","title":"Location"},"msg":{"type":"string","title":"Message"},"type":{"type":"string","title":"Error Type"}},"type":"object","required":["loc","msg","type"],"title":"ValidationError"},"WebhookCreate":{"properties":{"url":{"type":"string","title":"Url"},"events":{"items":{"type":"string"},"type":"array","title":"Events"},"secret":{"anyOf":[{"type":"string"},{"type":"null"}],"title":"Secret"}},"type":"object","required":["url","events"],"title":"WebhookCreate"}}}}