---
title: Authentication
path: reference/api/auth
status: published
---

# Authentication

**3 endpoints** in this group. All paths are prefixed with `/api/v1`.

## Endpoints in this group

- [`GET /api/v1/auth/config`](#get-api-v1-auth-config) — Get Auth Config
- [`GET /api/v1/auth/me`](#get-api-v1-auth-me) — Get Me
- [`POST /api/v1/auth/token`](#post-api-v1-auth-token) — Proxy Token

---

### GET `/api/v1/auth/config` — Get Auth Config {#get-api-v1-auth-config}

Public endpoint — returns OIDC configuration for the portal login flow.

**Responses**:

- `200` — Successful Response. Returns: `AuthConfigResponse` — {`issuer`, `client_id`, `scopes`, `logout_url`}


### GET `/api/v1/auth/me` — Get Me {#get-api-v1-auth-me}

Return the current user's profile with merged local roles + identity.

Identity (email, display name, tenant/partner names) is sourced from the
synced User row so it stays consistent across token refreshes — JWT
claims for `name`/`email` aren't always present.

**Parameters**:

- `authorization` (header, string, optional)


**Responses**:

- `200` — Successful Response. Returns: `MeResponse` — {`user_id`, `tenant_id`, `partner_id`, `email` + 5 more}
- `422` — Validation Error. Returns: `HTTPValidationError` — {`detail`}


### POST `/api/v1/auth/token` — Proxy Token {#post-api-v1-auth-token}

Proxy token exchange to ScaiKey — avoids CORS issues from browser.

**Body**: `TokenRequest` — {`grant_type`, `code`, `redirect_uri`, `code_verifier` + 1 more}


**Responses**:

- `200` — Successful Response. Returns: object
- `422` — Validation Error. Returns: `HTTPValidationError` — {`detail`}