Validate an API key and resolve tenant
POST
/v1/auth/validate
Internal endpoint used by runtime enforcement layer to validate keys and derive effective tenant.
VALIDATION CHECKS: 1. Key exists in database 2. Key hash matches 3. Status is ACTIVE (not REVOKED or EXPIRED) 4. Current time < expires_at 5. Tenant is ACTIVE (not SUSPENDED or CLOSED)
RESPONSE: - If valid: returns tenant_id, permissions, scope_filter - If invalid: returns valid=false with reason
CACHING: - Results should be cached with short TTL (60s) - Invalidate cache on key revocation
Authorizations
AdminKeyAuth
Administrative API key with full system access
Type
API Key (header: X-Admin-API-Key)
Request Body
application/json
JSON "key_secret": "string"
{
}
Responses
Validation result
application/json
JSON "valid": true, "tenant_id": "string", "key_id": "string", "permissions": [ "string" ], "scope_filter": [ "string" ], "expires_at": "string", "reason": "string"
{
}