Base URLs
Authentication
Most endpoints require a Bearer token in theAuthorization header. This is your developer API key, obtained via POST /v1/signup.
POST /v1/scim/tokens.
Public endpoints (health, JWKS, consent UI, SSO flow) require no authentication.
Rate Limits
These are current repository defaults. Source implementation does not by itself confirm that a managed environment has been deployed with the same configuration.
A route-specific Fastify limit replaces the 5,000 requests/minute default for that route. The Redis-backed standard developer API-key plan budget is an additional policy whenever standard API-key authentication applies.
Commerce, the SCIM Bearer data-plane routes under
/scim/v2/*, admin, and other custom-auth routes do not consume the standard developer API-key plan bucket; their active Fastify policy still applies. The standard API-key-authenticated /v1/scim/tokens management routes do consume the plan bucket.
OpenAPI Spec
The full OpenAPI 3.1 specification is available atopenapi.yaml. You can import it into Swagger Editor, Postman, or any OpenAPI-compatible tool.