Qeet Docs
API reference

Sessions

Login, refresh-token rotation, the current-principal endpoint, and session list/revoke.

The full session model (ES256 tokens, rotation + theft detection, lockout) is in Sessions; this is the endpoint reference.

Authenticate

POST/v1/auth/signupSign up → token pair
POST/v1/auth/loginPassword login → token pair
POST/v1/auth/magic-link/startEmail a magic link
POST/v1/auth/magic-link/consumeConsume → token pair

Refresh

Exchange the refresh token for a fresh, rotated pair. Replaying a rotated token revokes the chain.

POST/v1/auth/refreshRotate the token pair
Bash
curl -X POST https://api.qeetid.com/v1/auth/refresh \
  -H "Content-Type: application/json" \
  -d '{"refresh_token":"…"}'

Current principal

GET/v1/auth/meCurrent user/tenant/session context
Bash
curl https://api.qeetid.com/v1/auth/me \
  -H "Authorization: Bearer $ACCESS_TOKEN"

List & revoke

GET/v1/auth/sessionsList the caller's sessions
DELETE/v1/auth/sessions/{id}Revoke a session
POST/v1/auth/logoutRevoke the current session

Verify access tokens locally against the JWKS rather than calling the API on every request — that's what the SDKs' sessions.verify() does.

Roles & checks

Roles, permissions, user/group assignments, effective permissions, and the single-call /check (with explain).

Errors

The canonical error envelope, HTTP status mapping, and idiomatic handling per language.

On this page

AuthenticateRefreshCurrent principalList & revoke