ganshik

Cross-domain authentication server — acc.grimdork.net

Authentication

Public (no API key required)

Method	Path	Auth	Description
POST	/auth/verify	none	Verify username + password + domain credentials. Does not create a token. Body: `{"username","password","domain"}`. Response: `{"valid":bool,"error":"..."}`
POST	/auth/admin/auth	none	Authenticate as an admin user. User must have an admin API key. Creates a 24h admin session token. Body: `{"username","password"}`. Response: `{"valid":bool,"token":"...","expires_at":"..."}`

Admin-key-gated (Authorization: Bearer <admin-key>)

Method	Path	Auth	Description
POST	/auth/admin/check	admin	Verify an admin session token. Body: `{"username","token"}`. Response: `{"valid":bool,"error":"..."}`
POST	/auth/admin/revoke	admin	Revoke an admin session token. Body: `{"username","token"}`. Response: `{"revoked":true}`

Domain-key-gated (Authorization: Bearer <domain-key>)

Admin keys are also accepted as wildcards on these endpoints (except /auth/domain/login).

Method	Path	Auth	Description
POST	/auth/domain/login	domain	Authenticate a user for the key's domain. Creates a 24h session token. Body: `{"username","password"}`. Response: `{"valid":bool,"token":"...","expires_at":"...","profile":{...}}`
POST	/auth/domain/check	domain / admin	Verify a domain session token. Admin key skips domain match. Body: `{"username","token"}`. Response: `{"valid":bool,"error":"..."}`
POST	/auth/domain/revoke	domain / admin	Revoke a domain session token. Admin key skips domain match. Body: `{"username","token"}`. Response: `{"revoked":true}`

User Management

Method	Path	Auth	Description
GET	/api/users	admin / domain	List all users
POST	/api/users	admin / domain	Create user. Domain-scoped key also creates a profile. Body: `{"username","password","full_name","address"}`
GET	/api/users/:id	admin	Get user details
PUT	/api/users/:id	admin	Update user. Body: `{"full_name","address"}`
DELETE	/api/users/:id	admin	Delete user and all associated data
POST	/api/users/:id/password	admin	Set or test password. Body: `{"password","test_only":bool}`

Domain Management

Method	Path	Auth	Description
GET	/api/domains	admin	List all domains
POST	/api/domains	admin	Create domain. Body: `{"name"}`
GET	/api/domains/:id	admin	Get domain details
PUT	/api/domains/:id	admin	Update domain. Body: `{"name"}`
DELETE	/api/domains/:id	admin	Delete domain and all associated profiles/keys
GET	/api/domains/:id/keys	admin	List API keys for a domain
POST	/api/domains/:id/keys	admin	Create domain API key. Body: `{"user_id":int}`

Profile Management

Method	Path	Auth	Description
GET	/api/profiles	admin / domain	List profiles. Domain-scoped sees only their domain. Query: `?domain=N`
POST	/api/profiles	admin	Create profile. Body: `{"user_id":int,"domain_id":int,"status":"..."}`
PUT	/api/profiles/:id	admin	Update profile status. Body: `{"status"}`
DELETE	/api/profiles/:id	admin / domain	Delete profile. Domain-scoped: only own domain.

API Key Management

Method	Path	Auth	Description
GET	/api/admin/keys	admin	List all admin API keys
POST	/api/admin/keys	admin	Create admin API key. Body: `{"user_id":int}`
DELETE	/api/admin/keys/:id	admin	Delete an admin API key

Session Token Management

Method	Path	Auth	Description
DELETE	/api/tokens/:id	admin	Revoke any session token by database ID

User Data

Method	Path	Auth	Description
GET	/api/userdata	admin / domain	Get user data. Query: `?user_id=N&domain_id=N`
PUT	/api/userdata	admin / domain	Upsert user data. Body: `{"user_id":int,"domain_id":int,"data":{...}}`