Reference

API Endpoints

Complete API reference for IdP and SP endpoints.

API Endpoints

All HTTP endpoints registered by @openape/nuxt-auth-idp and @openape/nuxt-auth-sp.

Authentication

API endpoints use three authentication methods:

Method	Header	Who uses it
Management Token	`Authorization: Bearer <management-token>`	Human administrators, deployment tools
Agent Token	`Authorization: Bearer <agent-jwt>`	Enrolled agents (from `/api/agent/authenticate`)
Session	Cookie-based (automatic)	Logged-in users in the browser

IdP — Agent Endpoints

`POST /api/agent/enroll`

curl -X POST https://id.example.com/api/agent/enroll \
  -H "Authorization: Bearer <management-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "agent+deploy@example.com",
    "name": "deploy-bot",
    "publicKey": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI..."
  }'

Field	Required	Description
`email`	Yes	Agent email (convention: `agent+name@domain`)
`name`	Yes	Human-readable agent name
`publicKey`	Yes	SSH-format Ed25519 public key (`ssh-ed25519 ...`)
`owner`	No	Owner email (default: admin)
`approver`	No	Approver email (default: admin)

Response: 201 with { agent_id, email, name, owner, approver, status }

`POST /api/agent/challenge`

Request an authentication challenge. No auth required.

curl -X POST https://id.example.com/api/agent/challenge \
  -H "Content-Type: application/json" \
  -d '{"agent_id": "agent+deploy@example.com"}'

Response: 200 with { challenge: "<64-char-hex>" }

Challenge expires after 60 seconds. Single-use.

`POST /api/agent/authenticate`

Authenticate with a signed challenge. No auth required.

curl -X POST https://id.example.com/api/agent/authenticate \
  -H "Content-Type: application/json" \
  -d '{
    "agent_id": "agent+deploy@example.com",
    "challenge": "<challenge-from-above>",
    "signature": "<base64-ed25519-signature>"
  }'

Response: 200 with { token, agent_id, email, name, expires_in }

The token is a JWT with claims { sub, act: "agent", iss, iat, exp }.

IdP — Grant Endpoints

`POST /api/grants`

Create a grant request. Agent token or session optional (auto-sets requester).

curl -X POST https://id.example.com/api/grants \
  -H "Authorization: Bearer <agent-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "requester": "agent+deploy@example.com",
    "target_host": "prod-server.example.com",
    "audience": "escapes",
    "grant_type": "once",
    "command": ["systemctl", "restart", "nginx"],
    "reason": "Deploy hotfix"
  }'

Field	Required	Description
`requester`	Yes	Agent email
`target_host`	Yes	Host where grant is valid
`audience`	Yes	Service identifier (`escapes`, `proxy`, etc.)
`grant_type`	No	`once` (default), `timed`, `always`
`command`	No	Command array
`permissions`	No	Permission strings
`duration`	For `timed`	Duration in seconds
`reason`	No	Human-readable reason
`run_as`	No	Execute as this user

Response: 201 with { id, type, request, status: "pending", created_at }

For timed and always grants, the system checks for existing reusable grants with matching parameters. If found, the existing grant is returned instead of creating a new one.

`GET /api/grants`

List grants. Session or agent token required.

Query params: status, limit (max 100)

`GET /api/grants/:id`

Get grant details. Supports ETag-based polling via If-None-Match header.

Response: 200 with full grant object, or 304 Not Modified if unchanged.

`POST /api/grants/:id/approve`

Approve a pending grant. Requires admin session, management token, or authorized approver.

curl -X POST https://id.example.com/api/grants/<id>/approve \
  -H "Authorization: Bearer <management-token>" \
  -H "Content-Type: application/json" \
  -d '{"grant_type": "timed", "duration": 3600}'

The request body is optional. Use it to override the grant type or duration.

Response: 200 with { grant, authz_jwt }

AuthZ-JWT expiration by grant type:

once → 5 minutes
timed → grant.expires_at
always → 1 hour

`POST /api/grants/:id/deny`

Deny a pending grant. Same auth as approve.

`POST /api/grants/:id/revoke`

Revoke an approved grant. Only the agent's approver or admin.

`POST /api/grants/:id/token`

Get the AuthZ-JWT for an approved grant. Requires agent token or session matching the requester.

Response: 200 with { authz_jwt, grant }

`POST /api/grants/:id/consume`

Consume a once grant. Requires the AuthZ-JWT as Bearer token.

Response: 200 with { status: "consumed" } for once grants, or { status: "valid" } for timed/always.

`POST /api/grants/verify`

Verify an AuthZ-JWT. No auth required.

curl -X POST https://id.example.com/api/grants/verify \
  -H "Content-Type: application/json" \
  -d '{"token": "<authz-jwt>"}'

Response: 200 with { valid: true, claims: {...} } or { valid: false, error: "..." }

`POST /api/grants/batch`

Batch grant operations.

IdP — Delegation Endpoints

`POST /api/delegations`

Create a delegation. Session or agent token required.

curl -X POST https://id.example.com/api/delegations \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "delegate": "agent+bot@example.com",
    "audience": "escapes",
    "scopes": ["read", "exec"],
    "approval": "always"
  }'

`GET /api/delegations`

List delegations for the current user.

`DELETE /api/delegations/:id`

Delete a delegation.

`POST /api/delegations/:id/validate`

Validate a delegation token.

IdP — Admin Endpoints

All admin endpoints require Management Token or admin session.

Users

Method	Path	Description
`GET`	`/api/admin/users`	List users
`POST`	`/api/admin/users`	Create user
`DELETE`	`/api/admin/users/:email`	Delete user
`GET`	`/api/admin/users/:email/credentials`	List user's WebAuthn credentials

Agents

Method	Path	Description
`GET`	`/api/admin/agents`	List agents
`POST`	`/api/admin/agents`	Create agent
`GET`	`/api/admin/agents/:id`	Get agent details
`PUT`	`/api/admin/agents/:id`	Update agent
`DELETE`	`/api/admin/agents/:id`	Delete agent

Sessions

Method	Path	Description
`GET`	`/api/admin/sessions`	List sessions
`DELETE`	`/api/admin/sessions/:familyId`	Delete session by family ID
`DELETE`	`/api/admin/sessions/user/:email`	Delete all sessions for user

Registration URLs

Method	Path	Description
`GET`	`/api/admin/registration-urls`	List registration URLs
`POST`	`/api/admin/registration-urls`	Create registration URL
`DELETE`	`/api/admin/registration-urls/:token`	Delete registration URL

IdP — OAuth / OIDC Endpoints

Method	Path	Description
`GET`	`/authorize`	OAuth authorization endpoint
`POST`	`/token`	Token exchange
`POST`	`/revoke`	Token revocation
`GET`	`/userinfo`	User info
`GET`	`/.well-known/jwks.json`	JSON Web Key Set
`GET`	`/.well-known/openid-configuration`	OIDC discovery document

IdP — Auth Endpoints

Method	Path	Description
`POST`	`/api/logout`	End session
`GET`	`/api/me`	Get current user
`POST`	`/api/webauthn/register/options`	Get registration options
`POST`	`/api/webauthn/register/verify`	Verify registration
`POST`	`/api/webauthn/login/options`	Get login options
`POST`	`/api/webauthn/login/verify`	Verify login
`GET`	`/api/webauthn/credentials`	List credentials
`POST`	`/api/webauthn/credentials/add/options`	Get options for adding credential
`POST`	`/api/webauthn/credentials/add/verify`	Verify added credential
`DELETE`	`/api/webauthn/credentials/:id`	Delete credential

IdP — Federation Endpoints

Method	Path	Description
`GET`	`/auth/federated/:providerId`	Initiate federated login
`GET`	`/auth/federated/:providerId/callback`	Handle federation callback
`GET`	`/api/federation/providers`	List configured federation providers

SP Endpoints

Method	Path	Description
`POST`	`/api/login`	Start login (accepts `{ email }`, returns redirect URL)
`GET`	`/api/callback`	OAuth callback
`POST`	`/api/logout`	End session
`GET`	`/api/me`	Get current user
`GET`	`/.well-known/oauth-client-metadata`	OAuth client metadata
`GET`	`/.well-known/auth.md`	Machine-readable auth spec
`GET`	`/.well-known/openape.json`	Service manifest

SP Configuration

Complete configuration reference for @openape/nuxt-auth-sp.

escapes Config

Configuration reference for /etc/openape/config.toml.