Skip to content
infraiDocs
Console

Auth & identity

End-user authentication as a service — users, sessions, JWT verification, OAuth and GDPR/CCPA consent — across Clerk / WorkOS / Supabase Auth behind one key.

Overview

Base path: https://api.infrai.cc/v1/auth
Auth header: Authorization: Bearer $INFRAI_API_KEY
bash
# Call any /v1/auth capability over raw HTTP — no SDK to install.
# curl:
curl https://api.infrai.cc/v1/auth/... \
  -H "Authorization: Bearer $INFRAI_API_KEY" \
  -H "Content-Type: application/json"

Methods

auth.user.create

POST /v1/auth/user/create

Create an auth user across a vendor (Clerk/WorkOS/Supabase Auth). Pins the vendor of record (sticky-on-resource). Accepts idempotency_key.

Parameters

NameTypeRequiredDescription
emailstring
Required
User email address.
passwordstringOptionalOptional initial password (vendor-dependent).
metadataRecord<string, unknown>OptionalArbitrary key/value metadata stored on the user.
vendorstringOptionalExplicit vendor pin; required when mode=byok.
mode"managed" | "byok"OptionalProvisioning mode — managed or byok.
idempotency_keystringOptionalClient-supplied key to make the call idempotent.

Returns

AuthUser { user_id, email, email_verified, created_at }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X POST https://api.infrai.cc/v1/auth/user/create \
  -H "Authorization: Bearer $INFRAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"email": "..."}'

auth.user.get

GET /v1/auth/user/get/{user_id}

Fetch a single auth user by user_id from its pinned vendor.

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.

Returns

AuthUser

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X GET https://api.infrai.cc/v1/auth/user/get/USER_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY"

auth.user.get_by_email

GET /v1/auth/user/get_by_email

Look up an auth user by email address.

Parameters

NameTypeRequiredDescription
emailstring
Required
User email address.

Returns

AuthUser

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X GET https://api.infrai.cc/v1/auth/user/get_by_email \
  -H "Authorization: Bearer $INFRAI_API_KEY"

auth.user.list

GET /v1/auth/user/list

Cursor-paginated list of auth users for the account.

Parameters

NameTypeRequiredDescription
cursorstringOptionalOpaque pagination cursor.
limitnumberOptionalMaximum number of items to return.

Returns

{ items: AuthUser[], next_cursor?: string }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X GET https://api.infrai.cc/v1/auth/user/list \
  -H "Authorization: Bearer $INFRAI_API_KEY"

auth.user.update

PATCH /v1/auth/user/update/{user_id}

Update mutable fields (metadata, phone, MFA) of an existing auth user. Accepts idempotency_key.

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.
metadataRecord<string, unknown>OptionalArbitrary key/value metadata stored on the user.
email_verifiedbooleanOptionalMark the user email as verified.
mfa_enabledbooleanOptionalEnable or disable MFA for the user.
idempotency_keystringOptionalClient-supplied key to make the call idempotent.

Returns

AuthUser

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X PATCH https://api.infrai.cc/v1/auth/user/update/USER_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"user_id": "..."}'

auth.user.delete

DELETE /v1/auth/user/delete/{user_id}

Delete an auth user and cascade-revoke its sessions. Accepts idempotency_key.

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.

Returns

{ ok: boolean }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X DELETE https://api.infrai.cc/v1/auth/user/delete/USER_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY"

auth.session.create

POST /v1/auth/session/create

Mint an authenticated session for a user; routes to the user's pinned vendor. May return AUTH_MFA_REQUIRED. Accepts idempotency_key.

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.
methodstringOptionalAuthentication method used for the session.
mfa_factorstringOptionalMFA factor / code when require_mfa is set.
require_mfabooleanOptionalRequire an MFA factor to issue the session.
idempotency_keystringOptionalClient-supplied key to make the call idempotent.

Returns

Session { session_id, access_token, refresh_token, expires_at }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X POST https://api.infrai.cc/v1/auth/session/create \
  -H "Authorization: Bearer $INFRAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"user_id": "..."}'

auth.session.verify

GET /v1/auth/session/verify/{session_id}

Verify a session_id / JWT against the vendor JWKS (RS256+ES256) and return the Session.

Parameters

NameTypeRequiredDescription
session_idstring
Required
The session id.

Returns

{ valid: boolean, user_id?, expires_at? }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X GET https://api.infrai.cc/v1/auth/session/verify/SESSION_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY"

auth.session.refresh

POST /v1/auth/session/refresh

Exchange a refresh token for a new session; enforces 5-min cooldown (AUTH_REFRESH_TOO_FREQUENT). Accepts idempotency_key.

Parameters

NameTypeRequiredDescription
refresh_tokenstring
Required
A valid refresh token to exchange for a new session.
idempotency_keystringOptionalClient-supplied key to make the call idempotent.

Returns

Session

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X POST https://api.infrai.cc/v1/auth/session/refresh \
  -H "Authorization: Bearer $INFRAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"refresh_token": "..."}'

auth.session.revoke

POST /v1/auth/session/revoke/{session_id}

Revoke a single session by session_id. Accepts idempotency_key.

Parameters

NameTypeRequiredDescription
session_idstring
Required
The session id.
idempotency_keystringOptionalClient-supplied key to make the call idempotent.

Returns

{ ok: boolean }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X POST https://api.infrai.cc/v1/auth/session/revoke/SESSION_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"session_id": "..."}'

auth.session.revoke_all_for_user

POST /v1/auth/session/revoke_all_for_user/{user_id}

Revoke all active sessions for a user (e.g. password reset / logout-everywhere). Accepts idempotency_key.

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.
except_session_idstringOptionalKeep this session; revoke all others.

Returns

{ revoked: number }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X POST https://api.infrai.cc/v1/auth/session/revoke_all_for_user/USER_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"user_id": "..."}'

auth.session.list_for_user

GET /v1/auth/session/list_for_user/{user_id}

List active sessions for a given user.

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.

Returns

{ items: Session[] }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X GET https://api.infrai.cc/v1/auth/session/list_for_user/USER_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY"

auth.consent.grant

POST /v1/auth/consent/grant/{user_id}

Record a GDPR/CCPA consent grant for a user/category. Accepts idempotency_key.

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.
categorystring
Required
Consent category, e.g. marketing or analytics.
sourcestringOptionalHow the consent was captured.
idempotency_keystringOptionalClient-supplied key to make the call idempotent.

Returns

{ ok: boolean }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X POST https://api.infrai.cc/v1/auth/consent/grant/USER_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"user_id": "...", "category": "marketing"}'

auth.consent.revoke

POST /v1/auth/consent/revoke/{user_id}

Revoke a previously granted consent for a user/category. Accepts idempotency_key.

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.
categorystring
Required
Consent category, e.g. marketing or analytics.
idempotency_keystringOptionalClient-supplied key to make the call idempotent.

Returns

{ ok: boolean }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X POST https://api.infrai.cc/v1/auth/consent/revoke/USER_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"user_id": "...", "category": "marketing"}'

auth.consent.check

GET /v1/auth/consent/check/{user_id}/{category}

Check whether a user currently holds consent for a given category (boolean).

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.
categorystring
Required
Consent category, e.g. marketing or analytics.

Returns

{ granted: boolean, source?, granted_at? }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X GET https://api.infrai.cc/v1/auth/consent/check/USER_ID/CATEGORY \
  -H "Authorization: Bearer $INFRAI_API_KEY"

auth.consent.list_for_user

GET /v1/auth/consent/list_for_user/{user_id}

List all consent records for a user across GDPR categories.

Parameters

NameTypeRequiredDescription
user_idstring
Required
The user id.

Returns

{ items: Array<{ category, granted, source?, granted_at? }> }

Example

一次性前置(每个范例都假定已完成):

bash
# No SDK to install — every call is a plain HTTPS request.
# Get a project key by signing in at the console: Google/GitHub gives you
# $2 free credit (email sign-in starts at $0). On 402 INSUFFICIENT_CREDIT,
# POST /v1/account/topup and open the returned checkout_url.
export INFRAI_API_KEY="ifr_pk_proj_..."
bash
curl -X GET https://api.infrai.cc/v1/auth/consent/list_for_user/USER_ID \
  -H "Authorization: Bearer $INFRAI_API_KEY"
Advanced: pin a vendor

By default infrai routes each call to the best available provider — you do not pick a vendor. As an escape hatch, this capability accepts an optional vendor parameter to pin one specific provider. Every live vendor for this capability is available in real time from the discovery endpoint for the capability id — see the discovery API.

GET /v1/discovery/{capability}

auth.user.create

All capabilities

Every routed capability in this module — the complete public REST contract. The methods above are the guided walkthrough; this index is the full reference.

CapabilityEndpointDescription
auth.consent.checkGET /v1/auth/consent/check/{user_id}/{category}Check whether a user currently holds consent for a given category (boolean).
auth.consent.grantPOST /v1/auth/consent/grant/{user_id}Record a GDPR/CCPA consent grant for a user/category. Accepts idempotency_key.
auth.consent.list_for_userGET /v1/auth/consent/list_for_user/{user_id}List all consent records for a user across GDPR categories.
auth.consent.revokePOST /v1/auth/consent/revoke/{user_id}Revoke a previously granted consent for a user/category. Accepts idempotency_key.
auth.session.createPOST /v1/auth/session/createMint an authenticated session for a user; routes to the user's pinned vendor. May return AUTH_MFA_REQUIRED. Accepts idempotency_key.
auth.session.list_for_userGET /v1/auth/session/list_for_user/{user_id}List active sessions for a given user.
auth.session.refreshPOST /v1/auth/session/refreshExchange a refresh token for a new session; enforces 5-min cooldown (AUTH_REFRESH_TOO_FREQUENT). Accepts idempotency_key.
auth.session.revokePOST /v1/auth/session/revoke/{session_id}Revoke a single session by session_id. Accepts idempotency_key.
auth.session.revoke_all_for_userPOST /v1/auth/session/revoke_all_for_user/{user_id}Revoke all active sessions for a user (e.g. password reset / logout-everywhere). Accepts idempotency_key.
auth.session.verifyGET /v1/auth/session/verify/{session_id}Verify a session_id / JWT against the vendor JWKS (RS256+ES256) and return the Session.
auth.user.createPOST /v1/auth/user/createCreate an auth user across a vendor (Clerk/WorkOS/Supabase Auth). Pins the vendor of record (sticky-on-resource). Accepts idempotency_key.
auth.user.deleteDELETE /v1/auth/user/delete/{user_id}Delete an auth user and cascade-revoke its sessions. Accepts idempotency_key.
auth.user.getGET /v1/auth/user/get/{user_id}Fetch a single auth user by user_id from its pinned vendor.
auth.user.get_by_emailGET /v1/auth/user/get_by_emailLook up an auth user by email address.
auth.user.listGET /v1/auth/user/listCursor-paginated list of auth users for the account.
auth.user.updatePATCH /v1/auth/user/update/{user_id}Update mutable fields (metadata, phone, MFA) of an existing auth user. Accepts idempotency_key.

End-to-end example

A production-style walkthrough of this module: configure once, then run the flow. It exercises most of the module's APIs.

A copy-paste-runnable single-file Python program (stdlib only, no SDK): set your INFRAI_API_KEY, run it, and walk this module's core flow with REAL billed calls — later steps reuse real fields returned by earlier ones. The 12-line helper is the entire integration.

python
#!/usr/bin/env python3
"""Infrai · auth — runnable real-app example (single file, zero deps).

Copy this file, set your key, run it: every step is a REAL call to
api.infrai.cc, billed at the real (tiny) per-call price, printing the
live JSON response. Get a key at https://console.infrai.cc (Google/
GitHub sign-in grants $2 free credit). No SDK — the 12-line helper
below is the entire integration."""
import json
import os
from urllib import error, request

KEY = os.environ.get("INFRAI_API_KEY") or "ifr_pk_proj_..."  # <- your key
BASE = "https://api.infrai.cc"


# Same raw HTTPS POST/GET as every per-method example on this page —
# wrapped once for reuse. There is nothing else to it: no SDK.
def infrai(method, path, body=None):
    req = request.Request(
        BASE + path, method=method,
        data=json.dumps(body).encode() if body is not None else None,
        headers={"Authorization": f"Bearer {KEY}",
                 "Content-Type": "application/json"})
    try:
        with request.urlopen(req, timeout=60) as r:
            return json.loads(r.read())
    except error.HTTPError as e:
        return json.loads(e.read())


def show(label, resp):
    print(f"\n== {label} ==")
    print(json.dumps(resp, indent=2, ensure_ascii=False))
    return resp


# 1) auth.user.create — POST /v1/auth/user/create · Create an auth user across a vendor (Clerk/WorkOS/Supabase Auth). Pins the vendor of record (sticky-on-resource). Accepts idempotency_key.
r1 = show("auth.user.create", infrai("POST", "/v1/auth/user/create", {"email":"..."}))

# 2) auth.session.create — POST /v1/auth/session/create · Mint an authenticated session for a user; routes to the user's pinned vendor. May return AUTH_MFA_REQUIRED. Accepts idempotency_key.
r2 = show("auth.session.create", infrai("POST", "/v1/auth/session/create", {"user_id":"..."}))

# 3) auth.user.get_by_email — GET /v1/auth/user/get_by_email · Look up an auth user by email address.
r3 = show("auth.user.get_by_email", infrai("GET", "/v1/auth/user/get_by_email"))