Authentication
Token Operations
Handle refresh tokens, token info, and social authentication
POST
This endpoint handles various token-related operations including token refresh, token information retrieval, and social authentication through JWT tokens.
Request Body
The type of token operation to perform:
refresh_token: Get new access token using refresh tokentoken_info: Get information about an access tokenid_token: Authenticate with a social provider’s ID token
Required when
grant_type is “refresh_token”. The refresh token to use for obtaining a new access token.Required when
grant_type is “token_info”. The access token to get information about.Required when
grant_type is “id_token”. The ID token from a social provider.Response
JWT access token (for refresh_token and id_token grant types)
JWT refresh token (for refresh_token and id_token grant types)
Token expiration time in seconds (default: 3600)
Type of token (always “bearer”)
Only present for id_token grant type. Indicates if a new user was created.
Token Info Response
When usingtoken_info grant type, the response includes:
User ID associated with the token
List of permissions granted to the token.
Token expiration timestamp
Token issued at timestamp
Social Authentication Flow
When usingid_token grant type, the endpoint:
-
Token Verification:
- Verifies the ID token signature using provider’s JWKS
- Validates token claims (iss, aud, exp, iat)
- Extracts user information from token payload
-
Provider Validation:
- Google tokens must be issued by
https://accounts.google.com - Apple tokens must be issued by
https://appleid.apple.com - Client ID validation against environment configuration
- Google tokens must be issued by
-
Account Processing:
- Checks for existing account with email
- Link the account to the provider if it exists, ensuring the primary provider matches before establishing the connection.
- Creates new account if email is new
- Assigns default member role to new accounts
Error Responses
Error details when the request fails
Common error cases:
- 400 Bad Request: Missing required fields or invalid grant type
- 401 Unauthorized: Invalid/expired tokens or provider verification failed
- 403 Forbidden: Provider not linked or insufficient permissions
