@@ -307,6 +307,110 @@ paths:
307307 " 401 "
308308 $ref : " #/components/responses/Unauthorized"
309309
310+ # CLI Authorization (PKCE flow)
311+ /v1/auth/cli/authorize :
312+ post :
313+ tags : [Authentication]
314+ summary : Authorize CLI access
315+ description : |
316+ Initiates CLI authorization using OAuth 2.0 Authorization Code flow with PKCE.
317+
318+ This endpoint is called from a browser where the user has an active web session.
319+ It generates an authorization code that the CLI can exchange for a session token.
320+
321+ ## Flow
322+ 1. CLI generates `code_verifier` (random string) and `code_challenge` (SHA256 hash)
323+ 2. CLI opens browser to this endpoint with `code_challenge`
324+ 3. User logs in (if not already) via web session
325+ 4. This endpoint generates authorization code bound to PKCE challenge
326+ 5. Browser redirects back to CLI with code
327+ 6. CLI calls `/v1/auth/cli/token` with code and `code_verifier`
328+ operationId : cliAuthorize
329+ security :
330+ - SessionCookie : []
331+ requestBody :
332+ required : true
333+ content :
334+ application/json :
335+ schema :
336+ type : object
337+ required : [code_challenge, code_challenge_method]
338+ properties :
339+ code_challenge :
340+ type : string
341+ description : PKCE code challenge (base64url-encoded SHA256 of code_verifier)
342+ example : E9Melhoa2OwvFrEMTJguCHaoeK1t8URWbuGJSstw-cM
343+ code_challenge_method :
344+ type : string
345+ enum : [S256]
346+ description : PKCE code challenge method (must be S256)
347+ example : S256
348+ responses :
349+ " 200 "
350+ description : Authorization code generated
351+ content :
352+ application/json :
353+ schema :
354+ type : object
355+ required : [code, expires_in]
356+ properties :
357+ code :
358+ type : string
359+ description : Authorization code to exchange for session token
360+ expires_in :
361+ type : integer
362+ description : Code expiry time in seconds (typically 60)
363+ example : 60
364+ " 400 "
365+ description : Invalid code_challenge_method (must be S256)
366+ " 401 "
367+ $ref : " #/components/responses/Unauthorized"
368+
369+ /v1/auth/cli/token :
370+ post :
371+ tags : [Authentication]
372+ summary : Exchange CLI authorization code
373+ description : |
374+ Exchange authorization code for CLI session token.
375+
376+ The authorization code is single-use and will be invalidated after this call.
377+ PKCE verification ensures the same party that requested the code is exchanging it.
378+ operationId : cliTokenExchange
379+ requestBody :
380+ required : true
381+ content :
382+ application/json :
383+ schema :
384+ type : object
385+ required : [code, code_verifier]
386+ properties :
387+ code :
388+ type : string
389+ description : Authorization code from /v1/auth/cli/authorize
390+ code_verifier :
391+ type : string
392+ description : PKCE code verifier (original random string)
393+ minLength : 43
394+ maxLength : 128
395+ responses :
396+ " 200 "
397+ description : CLI session token issued
398+ content :
399+ application/json :
400+ schema :
401+ type : object
402+ required : [session_token, expires_in]
403+ properties :
404+ session_token :
405+ type : string
406+ description : CLI session token (session ID as string)
407+ expires_in :
408+ type : integer
409+ description : Session expiry time in seconds (7 days)
410+ example : 604800
411+ " 401 "
412+ description : Invalid or expired authorization code, or PKCE verification failed
413+
310414 # User Endpoints
311415 /v1/users/me :
312416 get :
@@ -612,6 +716,66 @@ paths:
612716 " 403 "
613717 $ref : " #/components/responses/Forbidden"
614718
719+ /v1/organizations/{org}/suspend :
720+ post :
721+ tags : [Organizations]
722+ summary : Suspend organization
723+ description : |
724+ Suspend an organization, blocking all API access for that organization.
725+ Requires owner role.
726+ operationId : suspendOrganization
727+ security :
728+ - SessionCookie : []
729+ parameters :
730+ - $ref : " #/components/parameters/OrgId"
731+ responses :
732+ " 200 "
733+ description : Organization suspended
734+ content :
735+ application/json :
736+ schema :
737+ type : object
738+ properties :
739+ message :
740+ type : string
741+ example : Organization suspended successfully
742+ " 400 "
743+ description : Organization is already suspended
744+ " 403 "
745+ $ref : " #/components/responses/Forbidden"
746+ " 404 "
747+ $ref : " #/components/responses/NotFound"
748+
749+ /v1/organizations/{org}/resume :
750+ post :
751+ tags : [Organizations]
752+ summary : Resume organization
753+ description : |
754+ Resume a suspended organization, restoring API access.
755+ Requires owner role.
756+ operationId : resumeOrganization
757+ security :
758+ - SessionCookie : []
759+ parameters :
760+ - $ref : " #/components/parameters/OrgId"
761+ responses :
762+ " 200 "
763+ description : Organization resumed
764+ content :
765+ application/json :
766+ schema :
767+ type : object
768+ properties :
769+ message :
770+ type : string
771+ example : Organization resumed successfully
772+ " 400 "
773+ description : Organization is not suspended
774+ " 403 "
775+ $ref : " #/components/responses/Forbidden"
776+ " 404 "
777+ $ref : " #/components/responses/NotFound"
778+
615779 # Organization Members
616780 /v1/organizations/{org}/members :
617781 get :
@@ -1797,6 +1961,98 @@ paths:
17971961 " 200 "
17981962 description : Member removed
17991963
1964+ # Team Permissions
1965+ /v1/organizations/{org}/teams/{team}/permissions :
1966+ get :
1967+ tags : [Teams]
1968+ summary : List team permissions
1969+ description : List all permissions granted to a team
1970+ operationId : listTeamPermissions
1971+ security :
1972+ - SessionCookie : []
1973+ parameters :
1974+ - $ref : " #/components/parameters/OrgId"
1975+ - $ref : " #/components/parameters/TeamId"
1976+ responses :
1977+ " 200 "
1978+ description : Permission list
1979+ content :
1980+ application/json :
1981+ schema :
1982+ type : object
1983+ properties :
1984+ permissions :
1985+ type : array
1986+ items :
1987+ $ref : " #/components/schemas/TeamPermission"
1988+ " 403 "
1989+ description : Only team members or organization admins can view team permissions
1990+
1991+ post :
1992+ tags : [Teams]
1993+ summary : Grant team permission
1994+ description : Grant an organization permission to a team (requires owner role)
1995+ operationId : grantTeamPermission
1996+ security :
1997+ - SessionCookie : []
1998+ parameters :
1999+ - $ref : " #/components/parameters/OrgId"
2000+ - $ref : " #/components/parameters/TeamId"
2001+ requestBody :
2002+ required : true
2003+ content :
2004+ application/json :
2005+ schema :
2006+ type : object
2007+ required : [permission]
2008+ properties :
2009+ permission :
2010+ $ref : " #/components/schemas/OrganizationPermission"
2011+ responses :
2012+ " 201 "
2013+ description : Permission granted
2014+ content :
2015+ application/json :
2016+ schema :
2017+ type : object
2018+ properties :
2019+ permission :
2020+ $ref : " #/components/schemas/TeamPermission"
2021+ " 403 "
2022+ $ref : " #/components/responses/Forbidden"
2023+
2024+ /v1/organizations/{org}/teams/{team}/permissions/{permission} :
2025+ delete :
2026+ tags : [Teams]
2027+ summary : Revoke team permission
2028+ description : Revoke a permission from a team (requires owner role)
2029+ operationId : revokeTeamPermission
2030+ security :
2031+ - SessionCookie : []
2032+ parameters :
2033+ - $ref : " #/components/parameters/OrgId"
2034+ - $ref : " #/components/parameters/TeamId"
2035+ - name : permission
2036+ in : path
2037+ required : true
2038+ schema :
2039+ type : string
2040+ format : snowflake
2041+ description : Permission ID (Snowflake ID)
2042+ responses :
2043+ " 200 "
2044+ description : Permission revoked
2045+ content :
2046+ application/json :
2047+ schema :
2048+ type : object
2049+ properties :
2050+ message :
2051+ type : string
2052+ example : Team permission revoked successfully
2053+ " 403 "
2054+ $ref : " #/components/responses/Forbidden"
2055+
18002056 # Session Management
18012057 /v1/users/sessions :
18022058 get :
@@ -2541,6 +2797,52 @@ components:
25412797 - maintainer: Can manage team members and permissions
25422798 - member: Regular team member
25432799
2800+ OrganizationPermission :
2801+ type : string
2802+ enum :
2803+ - OrgPermClientCreate
2804+ - OrgPermClientRead
2805+ - OrgPermClientRevoke
2806+ - OrgPermClientDelete
2807+ - OrgPermClientManage
2808+ - OrgPermVaultCreate
2809+ - OrgPermVaultRead
2810+ - OrgPermVaultDelete
2811+ description : |
2812+ Organization-level permissions that can be granted to teams:
2813+
2814+ **Client Permissions:**
2815+ - `OrgPermClientCreate`: Create new clients
2816+ - `OrgPermClientRead`: Read client information
2817+ - `OrgPermClientRevoke`: Revoke client certificates
2818+ - `OrgPermClientDelete`: Delete clients
2819+ - `OrgPermClientManage`: All client permissions (composite)
2820+
2821+ **Vault Permissions:**
2822+ - `OrgPermVaultCreate`: Create new vaults
2823+ - `OrgPermVaultRead`: Read vault information
2824+ - `OrgPermVaultDelete`: Delete vaults
2825+
2826+ TeamPermission :
2827+ type : object
2828+ required : [id, team_id, permission, granted_at, granted_by_user_id]
2829+ properties :
2830+ id :
2831+ type : string
2832+ format : snowflake
2833+ team_id :
2834+ type : string
2835+ format : snowflake
2836+ permission :
2837+ $ref : " #/components/schemas/OrganizationPermission"
2838+ granted_at :
2839+ type : string
2840+ format : date-time
2841+ granted_by_user_id :
2842+ type : string
2843+ format : snowflake
2844+ description : User ID of the person who granted this permission
2845+
25442846 TeamMember :
25452847 type : object
25462848 required : [id, team_id, user_id, role, created_at]
0 commit comments