Getting a token
Token lifetimes
Refreshing
Logging out
jti immediately, rather than waiting
out its natural expiry.
How the dashboard differs
If you’re calling the API directly (scripts, integrations, this documentation’s examples), you manage the access/refresh tokens yourself as shown above. The dashboard (apps/dashboard) does not — it keeps
the refresh token in an httpOnly cookie set by its own Next.js route
handlers, which are the only code that ever sees one. If you’re building
against the dashboard’s own routes rather than the public API directly,
see Security for that design.
Password reset
/auth/reset-password) invalidates every
other active session for that user.
Super admin
Platform operators use asuper_admin account (tenant_id is NULL) and
the X-Tenant-ID header to act on a specific tenant. super_admin access
tokens are additionally checked against a Redis denylist on every request,
so they can be revoked before their natural expiry — see
Security.