Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.aspfox.com/llms.txt

Use this file to discover all available pages before exploring further.

All endpoints are prefixed with /api/v1. All responses use the standard envelope format: { "success": true, "data": … } or { "success": false, "error": { "code": "…", "message": "…" } }.

Auth /api/v1/auth

MethodPathAuthDescription
POST/registerNoneRegister a new user. Returns 201, no tokens — user must verify email before logging in.
POST/loginNoneLogin with email and password. Returns access + refresh tokens.
POST/refreshNoneExchange a valid refresh token for a new token pair. Old token is revoked.
POST/logoutBearerRevoke the current refresh token.
GET/verify-emailNoneVerify email address with ?token= query param. Returns token pair on success.
POST/resend-verificationNoneResend verification email. Always returns 200 — no email enumeration.
POST/forgot-passwordNoneRequest a password reset email. Always returns 200 — no email enumeration.
POST/reset-passwordNoneReset password with token from email. Revokes all existing refresh tokens.
POST/change-passwordBearerChange password with current password confirmation. Revokes all refresh tokens.
POST/magic-link/requestNoneRequest a magic link login email. Always returns 200.
GET/magic-link/verifyNoneVerify magic link with ?token= query param. Returns token pair.
GET/meBearerReturn the current user’s profile and active tenant context.
GET/googleNoneInitiate Google OAuth flow. Redirects to Google.
GET/google/callbackNoneGoogle OAuth callback. Redirects to frontend with tokens.
GET/githubNoneInitiate GitHub OAuth flow. Redirects to GitHub.
GET/github/callbackNoneGitHub OAuth callback. Redirects to frontend with tokens.

Tenants /api/v1/tenants

MethodPathAuthPermissionDescription
POST/BearerNoneCreate a new tenant (workspace).
GET/mineBearerNoneList all tenants the current user belongs to.
POST/switchBearerNoneSwitch active tenant. Returns a new token pair with the new tenant context.
GET/currentBearertenant.settings.readGet current tenant details.
PATCH/currentBearertenant.settings.editUpdate tenant name or slug.
GET/current/membersBearertenant.members.readList all members of the current tenant with their roles.
POST/current/invitationsBearertenant.members.inviteInvite a user to the current tenant by email.
GET/current/invitationsBearertenant.members.readList pending and recently expired invitations.
DELETE/current/invitations/{id}Bearertenant.members.inviteCancel a pending invitation.
POST/invitations/acceptBearer or NoneNoneAccept an invitation token. Returns token pair or REGISTRATION_REQUIRED.
DELETE/current/members/{userId}Bearertenant.members.removeRemove a member from the tenant. Cannot remove the Owner.
POST/current/transfer-ownershipBearertenant.ownership.transferTransfer the Owner role to another member.
GET/current/rolesBearertenant.roles.readList all roles (built-in and custom) for the tenant.
POST/current/rolesBearertenant.roles.manageCreate a custom role.
PUT/current/roles/{roleId}Bearertenant.roles.manageUpdate a custom role’s name or permissions.
DELETE/current/roles/{roleId}Bearertenant.roles.manageDelete a custom role. Fails if members are assigned to it.
PATCH/current/members/{userId}/roleBearertenant.roles.manageAssign a role to a member.

Billing /api/v1/billing

MethodPathAuthPermissionDescription
GET/Bearertenant.billing.readGet current tenant’s subscription status and plan.
POST/checkoutBearertenant.billing.manageCreate a Stripe Checkout session for a plan upgrade. Returns { checkoutUrl }.
POST/portalBearertenant.billing.manageCreate a Stripe Customer Portal session. Returns { portalUrl }.

Users /api/v1/users

MethodPathAuthDescription
GET/profileBearerGet the current user’s profile (display name, avatar, timezone).
PATCH/profileBearerUpdate display name, avatar URL, or timezone.
POST/change-emailBearerRequest an email address change. Sends verification to the new address.
GET/verify-email-changeNoneComplete email change with token from email.
DELETE/accountBearerDelete the current user’s account. Requires password confirmation.

Notifications /api/v1/notifications

MethodPathAuthDescription
GET/BearerList notifications for the current user in the current tenant. Paginated.
GET/unread-countBearerGet the unread notification count. Redis-cached, 30-second TTL.
POST/{id}/readBearerMark a single notification as read.
POST/read-allBearerMark all notifications as read for the current user in the current tenant.

Admin /api/v1/admin

All admin endpoints require is_admin = true in the JWT claims.
MethodPathDescription
GET/usersList all users. Supports search, page, pageSize query params.
GET/tenantsList all tenants. Supports search, page, pageSize.
GET/tenants/{tenantId}Get tenant detail: members, subscription history, last 20 audit log entries.
GET/subscriptions/overviewAggregate subscription stats: active count, trialing, past due, estimated MRR.
POST/users/{userId}/impersonateIssue a JWT for the target user with impersonator_id claim.
PATCH/tenants/{tenantId}/subscriptionManual subscription status override (local state only, does not touch Stripe).
DELETE/users/{userId}Soft-delete a user. Cancels Stripe subscription at period end.

Webhooks

MethodPathAuthDescription
POST/api/v1/webhooks/stripeStripe-Signature headerReceive and process Stripe webhook events. Returns 200 for all events, handled or not.

Health

MethodPathAuthDescription
GET/healthNoneReturns {"status":"healthy"}. Used by load balancers and monitoring.