Getting a token

Send the access token on every subsequent request:

Token lifetimes

Refreshing

Returns a new access/refresh pair. The consumed refresh token is denied — reusing it (e.g. a stolen, already-rotated token) fails, which is what makes rotation meaningful rather than cosmetic.

Logging out

Denies the current access token’s jti immediately, rather than waiting out its natural expiry.

How the dashboard differs

If you’re calling the API directly (scripts, integrations, this documentation’s examples), you manage the access/refresh tokens yourself as shown above. The dashboard (apps/dashboard) does not — it keeps the refresh token in an httpOnly cookie set by its own Next.js route handlers, which are the only code that ever sees one. If you’re building against the dashboard’s own routes rather than the public API directly, see Security for that design.

Password reset

Issues a single-use, hashed, time-limited reset token (60 minutes by default). Completing the reset (/auth/reset-password) invalidates every other active session for that user.

Super admin

Platform operators use a super_admin account (tenant_id is NULL) and the X-Tenant-ID header to act on a specific tenant. super_admin access tokens are additionally checked against a Redis denylist on every request, so they can be revoked before their natural expiry — see Security.

Errors