| Method | Path | Auth | Description |
|---|
| GET | /oauth/authorize | None | Authorization page (renders login UI) |
| POST | /oauth/token | Client credentials | Exchange code or refresh token |
| POST | /oauth/revoke | None | Revoke a refresh token |
| Method | Path | Auth | Description |
|---|
| POST | /auth/login | None | Password login (JSON) |
| POST | /auth/login-form | None | Password login (form) |
| POST | /auth/pin | None | PIN login (JSON) |
| POST | /auth/pin-form | None | PIN login (form) |
| POST | /auth/signup | None | Create account (JSON) |
| POST | /auth/signup-form | None | Create account (form) |
| POST | /auth/magic-link/send | None | Send magic link email |
| GET | /auth/magic-link/verify | None | Verify magic link token |
| Method | Path | Auth | Description |
|---|
| GET | /.well-known/openid-configuration | None | OIDC discovery |
| GET | /.well-known/jwks.json | None | Public keys (ES256) |
| GET | /oidc/authorize | None | OIDC authorization |
| POST | /oidc/token | Basic / body | OIDC token exchange |
All admin endpoints require Authorization: Bearer <token> with admin role.
| Method | Path | Auth | Description |
|---|
| GET | /admin/projects | Super-admin | List all projects |
| POST | /admin/projects | Super-admin | Create project |
| GET | /admin/projects/:id | Admin | Get project details |
| PATCH | /admin/projects/:id | Admin | Update project |
| Method | Path | Auth | Description |
|---|
| GET | /admin/projects/:id/users | Admin | List project users |
| PATCH | /admin/projects/:id/users/:userId | Admin | Update user role/status |
| DELETE | /admin/projects/:id/users/:userId | Admin | Remove user from project |
| Method | Path | Auth | Description |
|---|
| GET | /admin/projects/:id/sessions | Admin | List active sessions |
| DELETE | /admin/projects/:id/sessions/:tokenId | Admin | Revoke session |
| POST | /admin/projects/:id/sessions/revoke-all | Admin | Revoke all sessions |
| POST | /admin/projects/:id/sessions/revoke-many | Admin | Bulk revoke (up to 100) |
| Method | Path | Auth | Description |
|---|
| GET | /admin/projects/:id/pins | Admin | List PINs |
| POST | /admin/projects/:id/pins | Admin | Create PIN |
| PATCH | /admin/projects/:id/pins/:pinId | Admin | Revoke PIN |
| Method | Path | Auth | Description |
|---|
| POST | /admin/projects/:id/rate-limits/reset | Admin | Clear rate limit counters |
| Method | Path | Auth | Description |
|---|
| GET | /health | None | Service health check |
