Skip to main content
The Grantex Auth Service exposes a REST API covering agent registration, authorization flows, token management, audit logging, policy enforcement, anomaly detection, compliance exports, SCIM provisioning, SSO, billing, FIDO2/WebAuthn passkey management, W3C Verifiable Credentials, and DID infrastructure.

Base URLs

Authentication

Most endpoints require a Bearer token in the Authorization header. This is your developer API key, obtained via POST /v1/signup.
SCIM 2.0 user endpoints use a separate SCIM Bearer token, created via POST /v1/scim/tokens. Public endpoints (health, JWKS, consent UI, SSO flow) require no authentication.

Rate Limits

These are current repository defaults. Source implementation does not by itself confirm that a managed environment has been deployed with the same configuration.
A route-specific Fastify limit replaces the 5,000 requests/minute default for that route. The Redis-backed standard developer API-key plan budget is an additional policy whenever standard API-key authentication applies. Commerce, the SCIM Bearer data-plane routes under /scim/v2/*, admin, and other custom-auth routes do not consume the standard developer API-key plan bucket; their active Fastify policy still applies. The standard API-key-authenticated /v1/scim/tokens management routes do consume the plan bucket.

OpenAPI Spec

The full OpenAPI 3.1 specification is available at openapi.yaml. You can import it into Swagger Editor, Postman, or any OpenAPI-compatible tool.
Last modified on July 14, 2026