You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/http_api.md
+7-2Lines changed: 7 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,8 +25,8 @@ mount protected controllers manually, pass `security=` to the relevant controlle
25
25
| POST |`{auth}/refresh`|`RefreshTokenRequest` (`refresh_token`) |`enable_refresh=True`| New access token from refresh token / cookie. |
26
26
| GET |`{auth}/sessions`| None |`include_session_devices=True`| Authenticated; list the current user's active DB-backed refresh sessions. CookieTransport clients can be marked current from the refresh cookie. |
27
27
| POST |`{auth}/sessions`|`RefreshTokenRequest` (`refresh_token`) |`include_session_devices=True`| Authenticated; list active refresh sessions while identifying the current bearer refresh session. |
28
-
| DELETE |`{auth}/sessions/{session_id}`| None |`include_session_devices=True`| Authenticated; revoke one of the current user's refresh sessions by public session id. |
29
-
| POST |`{auth}/sessions/revoke-others`| Optional `RefreshTokenRequest` (`refresh_token`) for bearer clients |`include_session_devices=True`| Authenticated; revoke the current user's other refresh sessions. |
28
+
| DELETE |`{auth}/sessions/{session_id}`| None |`include_session_devices=True`| Authenticated; revoke one of the current user's DB sessions and its linked access tokens by public session id. |
29
+
| POST |`{auth}/sessions/revoke-others`| Optional `RefreshTokenRequest` (`refresh_token`) for bearer clients |`include_session_devices=True`| Authenticated; revoke the current user's other DB sessions and their linked access tokens. |
30
30
| POST |`{auth}/switch-organization`|`SwitchOrganizationRequest` (`organization_slug`) |`organization_config.enabled=True`, `organization_config.include_switch_organization=True`, and a JWT-capable non-API-key backend | Authenticated; verifies target organization membership and returns an organization-bound JWT through the configured transport. |
31
31
| POST |`{auth}/organization-invitations/accept`|`OrganizationInvitationTokenRequest` (`token`) |`organization_config.enabled=True`, `organization_config.include_organization_invitations=True`| Authenticated; validates a single-use invitation token, requires the authenticated user's normalized email to match the invitation, creates membership roles from the invitation, and consumes the invitation. |
32
32
| POST |`{auth}/organization-invitations/decline`|`OrganizationInvitationTokenRequest` (`token`) |`organization_config.enabled=True`, `organization_config.include_organization_invitations=True`| Authenticated; validates the token and authenticated email, then revokes the pending invitation without creating membership. |
@@ -76,6 +76,11 @@ The first controller slice supports strategies implementing the refresh-session
76
76
including the built-in DB token strategy. JWT and Redis token strategies do not provide a session
77
77
dashboard in this slice.
78
78
79
+
The built-in DB strategy links each newly issued access token to the refresh session that issued it.
80
+
Deleting a session, revoking other sessions, detecting refresh-token replay, or expiring a refresh
81
+
session therefore invalidates its access tokens immediately rather than waiting for their access TTL.
82
+
Custom strategies control their own revocation semantics.
83
+
79
84
| Status | Error code | Applies to | Meaning |
80
85
| ------ | ---------- | ---------- | ------- |
81
86
| 400 |`SESSION_MANAGEMENT_UNSUPPORTED`| All session/device routes | The configured strategy does not implement refresh-session management. |
0 commit comments