API reference

Every endpoint, grouped by area and generated from Limen's OpenAPI spec (version 0.0.0). Tenant-scoped routes live under /v1/{tenantSlug}. All errors share the same envelope.

Prefer to try requests in-browser? The interactive Swagger UI is served straight from the API.

Tenants

Create a workspace and its first admin.

post/v1/tenants
Create a tenant
Request body (required)
tenantrequiredobject
adminrequiredobject
Responses
200OK
Body
userrequiredobject
accessTokenrequiredstring
refreshTokenrequiredstring
accessTokenExpiresInrequiredinteger
refreshTokenExpiresInrequiredinteger
tenantSlugrequiredstring
400Bad request
409Conflict
429Too many requests

Authentication

Sign up, sign in, refresh, and sign out.

post/v1/{tenantSlug}/auth/login
Log in
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
emailrequiredstring (email)
length 0–254
passwordrequiredstring
length 1–1024
totpCodestring
pattern ^\d{6}$
emailOtpCodestring
pattern ^\d{6}$
Responses
200OK
Body
userrequiredobject
accessTokenrequiredstring
refreshTokenrequiredstring
accessTokenExpiresInrequiredinteger
refreshTokenExpiresInrequiredinteger
401Unauthorized
404Not found
429Too many requests
post/v1/{tenantSlug}/auth/logout
Log out
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
refreshTokenrequiredstring
length 1–1024
Responses
200OK
Body
okrequiredtrue
404Not found
post/v1/{tenantSlug}/auth/logout-all
Log out everywhere
Path parameters
tenantSlugrequiredstring
length 1–∞
Responses
200OK
Body
okrequiredtrue
countrequiredinteger
401Unauthorized
404Not found
post/v1/{tenantSlug}/auth/refresh
Refresh a session
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
refreshTokenrequiredstring
length 1–1024
Responses
200OK
Body
userrequiredobject
accessTokenrequiredstring
refreshTokenrequiredstring
accessTokenExpiresInrequiredinteger
refreshTokenExpiresInrequiredinteger
401Unauthorized
404Not found
429Too many requests
post/v1/{tenantSlug}/auth/request-email-otp
Request an email code
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
emailrequiredstring (email)
length 0–254
passwordrequiredstring
length 1–1024
Responses
200OK
Body
okrequiredtrue
401Unauthorized
404Not found
429Too many requests
post/v1/{tenantSlug}/auth/signup
Sign up
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
emailrequiredstring (email)
length 0–254
passwordrequiredstring
length 12–1024
Responses
200OK
Body
userrequiredobject
accessTokenrequiredstring
refreshTokenrequiredstring
accessTokenExpiresInrequiredinteger
refreshTokenExpiresInrequiredinteger
400Bad request
404Not found
429Too many requests
post/v1/{tenantSlug}/auth/totp/initial-enroll
Begin TOTP enrollment
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
emailrequiredstring (email)
length 0–254
passwordrequiredstring
length 1–1024
Responses
200OK
Body
secretrequiredstring
otpauthUrirequiredstring
401Unauthorized
403Forbidden
404Not found
409Conflict
429Too many requests
post/v1/{tenantSlug}/auth/totp/initial-verify
Verify initial TOTP
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
emailrequiredstring (email)
length 0–254
passwordrequiredstring
length 1–1024
coderequiredstring
pattern ^\d{6}$
Responses
200OK
Body
userrequiredobject
accessTokenrequiredstring
refreshTokenrequiredstring
accessTokenExpiresInrequiredinteger
refreshTokenExpiresInrequiredinteger
401Unauthorized
403Forbidden
404Not found
409Conflict
429Too many requests

MFA

Enrol and manage second factors.

post/v1/{tenantSlug}/mfa/totp/enroll
POST /v1/{tenantSlug}/mfa/totp/enroll
Path parameters
tenantSlugrequiredstring
length 1–∞
Responses
200OK
Body
secretrequiredstring
otpauthUrirequiredstring
401Unauthorized
404Not found
post/v1/{tenantSlug}/mfa/totp/verify
POST /v1/{tenantSlug}/mfa/totp/verify
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
coderequiredstring
pattern ^\d{6}$
Responses
200OK
Body
okrequiredtrue
401Unauthorized
404Not found

Google OAuth

The hosted Google sign-in flow.

get/v1/{tenantSlug}/oauth/google/callback
Google callback
Path parameters
tenantSlugrequiredstring
length 1–∞
Query parameters
codestring
length 1–∞
statestring
length 1–∞
errorstring
length 1–∞
error_descriptionstring
Responses
200OK
Body
userrequiredobject
accessTokenrequiredstring
refreshTokenrequiredstring
accessTokenExpiresInrequiredinteger
refreshTokenExpiresInrequiredinteger
400Bad request
401Unauthorized
404Not found
429Too many requests
get/v1/{tenantSlug}/oauth/google/start
Start Google sign-in
Path parameters
tenantSlugrequiredstring
length 1–∞
Responses
200OK
Body
authorizationUrlrequiredstring (uri)
400Bad request
404Not found

Current user

Operate on the authenticated user.

get/v1/{tenantSlug}/me
Get the current user
Path parameters
tenantSlugrequiredstring
length 1–∞
Responses
200OK
Body
idrequiredstring
tenantIdrequiredstring
emailrequiredstring (email)
statusrequired"Pending" | "Active" | "Suspended"
rolerequired"Member" | "Admin"
createdAtrequiredstring (date-time)
lastLoginAtrequiredstring (date-time)
tenantrequiredobject
totpEnrolledrequiredboolean
401Unauthorized
404Not found
delete/v1/{tenantSlug}/me
Delete the current user
Path parameters
tenantSlugrequiredstring
length 1–∞
Responses
200OK
Body
okrequiredtrue
401Unauthorized
404Not found
patch/v1/{tenantSlug}/me/password
PATCH /v1/{tenantSlug}/me/password
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
currentPasswordrequiredstring
length 1–1024
newPasswordrequiredstring
length 12–1024
Responses
200OK
Body
okrequiredtrue
400Bad request
401Unauthorized
404Not found

Invites

post/v1/invites/accept
POST /v1/invites/accept
Request body (required)
tokenrequiredstring
length 1–1024
passwordrequiredstring
length 12–1024
Responses
200OK
Body
userrequiredobject
accessTokenrequiredstring
refreshTokenrequiredstring
accessTokenExpiresInrequiredinteger
refreshTokenExpiresInrequiredinteger
tenantSlugrequiredstring
400Bad request
401Unauthorized
409Conflict
429Too many requests

Admin

Tenant administration.

get/v1/{tenantSlug}/api-keys
GET /v1/{tenantSlug}/api-keys
Path parameters
tenantSlugrequiredstring
length 1–∞
Query parameters
includeRevokedboolean
Responses
200OK
Body
itemsrequiredobject[]
401Unauthorized
403Forbidden
404Not found
429Too many requests
post/v1/{tenantSlug}/api-keys
POST /v1/{tenantSlug}/api-keys
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
namerequiredstring
length 1–120
environmentrequired"live" | "test"
expiresAtstring (date-time)
Responses
200OK
Body
plaintextrequiredstring
apiKeyrequiredobject
401Unauthorized
403Forbidden
404Not found
429Too many requests
delete/v1/{tenantSlug}/api-keys/{id}
DELETE /v1/{tenantSlug}/api-keys/{id}
Path parameters
tenantSlugrequiredstring
length 1–∞
idrequiredstring
length 1–∞
Responses
200OK
Body
okrequiredtrue
401Unauthorized
403Forbidden
404Not found
429Too many requests
get/v1/{tenantSlug}/audit
List audit events
Path parameters
tenantSlugrequiredstring
length 1–∞
Query parameters
action"UserSignup" | "UserLogin" | "UserLoginFailed" | "UserLogout" | "UserPasswordChanged" | "UserEmailVerified" | "UserSoftDeleted" | "UserHardDeleted" | "MfaTotpEnrolled" | "MfaTotpDisabled" | "MfaTotpVerified" | "MfaEmailOtpSent" | "MfaEmailOtpVerified" | "MfaEmailOtpFailed" | "InviteCreated" | "InviteAccepted" | "InviteRevoked" | "InviteExpired" | "ApiKeyCreated" | "ApiKeyRevoked" | "SessionCreated" | "SessionRevoked" | "SessionFamilyCompromised" | "TenantCreated" | "TenantUpdated" | "TenantSoftDeleted" | "GdprExportRequested" | "GdprExportCompleted" | "GdprErasureRequested" | "GdprErasureCompleted" | "GoogleOauthLinked" | "GoogleOauthUnlinked"
userIdstring (uuid)
beforestring (date-time)
limitinteger
searchstring
length 1–200
Responses
200OK
Body
itemsrequiredobject[]
401Unauthorized
403Forbidden
404Not found
429Too many requests
get/v1/{tenantSlug}/invites
GET /v1/{tenantSlug}/invites
Path parameters
tenantSlugrequiredstring
length 1–∞
Query parameters
includeAcceptedboolean
includeRevokedboolean
Responses
200OK
Body
itemsrequiredobject[]
401Unauthorized
403Forbidden
404Not found
429Too many requests
post/v1/{tenantSlug}/invites
POST /v1/{tenantSlug}/invites
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
emailrequiredstring (email)
length 0–254
role"Member" | "Admin"
ttlSecondsinteger
Responses
200OK
Body
tokenrequiredstring
inviterequiredobject
401Unauthorized
403Forbidden
404Not found
429Too many requests
delete/v1/{tenantSlug}/invites/{id}
DELETE /v1/{tenantSlug}/invites/{id}
Path parameters
tenantSlugrequiredstring
length 1–∞
idrequiredstring
length 1–∞
Responses
200OK
Body
okrequiredtrue
401Unauthorized
403Forbidden
404Not found
429Too many requests
put/v1/{tenantSlug}/oauth/google/credentials
PUT /v1/{tenantSlug}/oauth/google/credentials
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
clientIdrequiredstring
length 1–512
clientSecretrequiredstring
length 1–512
Responses
200OK
Body
okrequiredtrue
401Unauthorized
403Forbidden
404Not found
429Too many requests
delete/v1/{tenantSlug}/oauth/google/credentials
DELETE /v1/{tenantSlug}/oauth/google/credentials
Path parameters
tenantSlugrequiredstring
length 1–∞
Responses
200OK
Body
okrequiredtrue
401Unauthorized
403Forbidden
404Not found
429Too many requests
get/v1/{tenantSlug}/tenant
GET /v1/{tenantSlug}/tenant
Path parameters
tenantSlugrequiredstring
length 1–∞
Responses
200OK
Body
idrequiredstring
slugrequiredstring
namerequiredstring
planrequired"Free" | "Starter" | "Growth" | "Enterprise"
mfaPolicyrequired"Disabled" | "Optional" | "Required"
googleOauthEnabledrequiredboolean
googleClientIdrequiredstring
hasGoogleClientSecretrequiredboolean
createdAtrequiredstring (date-time)
401Unauthorized
403Forbidden
404Not found
429Too many requests
patch/v1/{tenantSlug}/tenant
PATCH /v1/{tenantSlug}/tenant
Path parameters
tenantSlugrequiredstring
length 1–∞
Request body (required)
namestring
length 1–120
mfaPolicy"Disabled" | "Optional" | "Required"
Responses
200OK
Body
idrequiredstring
slugrequiredstring
namerequiredstring
planrequired"Free" | "Starter" | "Growth" | "Enterprise"
mfaPolicyrequired"Disabled" | "Optional" | "Required"
googleOauthEnabledrequiredboolean
googleClientIdrequiredstring
hasGoogleClientSecretrequiredboolean
createdAtrequiredstring (date-time)
400Bad request
401Unauthorized
403Forbidden
404Not found
429Too many requests
get/v1/{tenantSlug}/users
GET /v1/{tenantSlug}/users
Path parameters
tenantSlugrequiredstring
length 1–∞
Responses
200OK
Body
itemsrequiredobject[]
401Unauthorized
403Forbidden
404Not found
429Too many requests
delete/v1/{tenantSlug}/users/{userId}
DELETE /v1/{tenantSlug}/users/{userId}
Path parameters
tenantSlugrequiredstring
length 1–∞
userIdrequiredstring (uuid)
Responses
200OK
Body
okrequiredtrue
401Unauthorized
403Forbidden
404Not found
429Too many requests
post/v1/{tenantSlug}/users/{userId}/totp/disable
POST /v1/{tenantSlug}/users/{userId}/totp/disable
Path parameters
tenantSlugrequiredstring
length 1–∞
userIdrequiredstring
length 1–∞
Responses
200OK
Body
okrequiredtrue
401Unauthorized
403Forbidden
404Not found
429Too many requests

Service

Liveness, readiness, and the spec itself.

get/health
Liveness
Responses
200OK
get/ready
Readiness
Responses
200OK
get/v1/openapi.json
OpenAPI document
Responses
200OK