Skip to main content

POST /api/v1/auth/register

Register a new user account. Creates a user, a personal playground tenant, and sends a verification email. Rate limited to 5 requests per IP per hour.

Request Body

FieldTypeRequiredDescription
namestringYesFull name (max 100 chars)
emailstringYesEmail address (max 255 chars)
passwordstringYesPassword (8-128 chars, must contain uppercase letter and number)

Response

Always returns the same generic message regardless of whether the email already exists (prevents email enumeration): 
{
  "message": "If this email is available, a verification link has been sent."
}

GET /api/v1/auth/verify

Verify a user’s email address via the link sent during registration. Redirects to the login page.

Query Parameters

ParameterTypeRequiredDescription
tokenstringYesVerification token
emailstringYesEmail address

Redirect Outcomes

RedirectMeaning
/login?verified=trueEmail verified successfully
/login?error=invalid-tokenToken not found
/login?error=expired-tokenToken expired (24h limit)
/login?error=invalid-linkMissing token or email parameter

POST /api/v1/auth/mfa

Manage multi-factor authentication (TOTP-based). Supports setup, enable, verify, and disable actions.

Request Body

FieldTypeRequiredDescription
actionstringYes"setup", "enable", "verify", or "disable"
tokenstringConditional6-digit TOTP code or 8-character backup code (required for enable, verify, disable)

Actions

setup — Generate a TOTP secret and backup codes. MFA is not yet active. 
{
  "otpauthUrl": "otpauth://totp/KaireonAI:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=KaireonAI",
  "backupCodes": ["A1B2C3D4", "E5F6G7H8", "I9J0K1L2", "M3N4O5P6", "Q7R8S9T0", "U1V2W3X4", "Y5Z6A7B8", "C9D0E1F2"]
}
enable — Verify a TOTP token to activate MFA. Returns fresh backup codes. 
{
  "enabled": true,
  "backupCodes": ["A1B2C3D4", "..."]
}
Store backup codes securely. They are only shown at setup/enable time and cannot be retrieved later.
verify — Verify a TOTP token or backup code during login. Rate limited to 3 attempts per 60 seconds. 
{
  "verified": true,
  "method": "totp"
}
disable — Disable MFA (requires valid TOTP token). 
{
  "disabled": true
}

API Keys

POST /api/v1/api-keys

Generate a new API key. Admin only.
FieldTypeRequiredDescription
namestringNoKey name. Auto-generated if omitted
expiresAtstringNoISO expiration date

Response

{
  "id": "key_001",
  "name": "Production API Key",
  "key": "krn_a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef12345678",
  "prefix": "krn_a1b2c3d4",
  "expiresAt": null,
  "createdAt": "2026-03-16T10:00:00.000Z",
  "warning": "Store this key securely. It will not be shown again."
}
The full API key is only returned at creation time. Store it immediately — it cannot be retrieved later.

GET /api/v1/api-keys

List active API keys (prefix only, never the full key). Admin only.

DELETE /api/v1/api-keys

Revoke an API key (soft delete). Admin only.
ParameterTypeRequiredDescription
idstringYesKey ID (query parameter)

SSO

GET /api/v1/sso

Get SSO configuration for the tenant. Sensitive fields are redacted. Admin only.

POST /api/v1/sso

Configure SSO or get an auth URL.
FieldTypeRequiredDescription
actionstringYes"configure" or "get_auth_url"
configobjectFor configureSSO configuration (provider, SAML/OIDC settings, domains)
statestringFor get_auth_urlOAuth state parameter
redirectUristringFor get_auth_urlRedirect URI after authentication

SSO Configuration Fields

FieldTypeDescription
providerstring"saml" or "oidc"
enabledbooleanEnable/disable SSO
samlEntityIdstringSAML entity ID
samlSsoUrlstringSAML SSO URL
oidcIssuerstringOIDC issuer URL
oidcClientIdstringOIDC client ID
oidcClientSecretstringOIDC client secret
oidcScopesstringOIDC scopes
defaultRolestringDefault role for SSO-provisioned users
allowedDomainsstring[]Allowed email domains
autoProvisionbooleanAuto-create users on first SSO login
enforceForAllUsersbooleanRequire SSO for all users

Roles

EndpointAllowed Roles
POST /auth/registerPublic
GET /auth/verifyPublic
POST /auth/mfaAuthenticated user
POST /api-keysadmin
GET /api-keysadmin
DELETE /api-keysadmin
GET /ssoadmin
POST /ssoadmin
See also: Authentication