search

Auth

hashtag
Login

get

Initiate Google OAuth login flow

Args: redirect_uri: Frontend callback URL team_id: Optional team context to include in JWT (will be validated)

Returns: Redirect to Google OAuth consent screen

Query parameters
redirect_uriany ofOptional
stringOptional
or
nullOptional
team_idany ofOptional

Requested team context for JWT

stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
anyOptional
get
/v1/auth/login
No content

hashtag
Callback

post

Handle OAuth callback and exchange code for JWT token

Args: request: Authorization code from Google plus optional state

Returns: JWT token and user context

Body
codestringRequired
stateany ofOptional
stringOptional
or
nullOptional
redirect_uristringRequired
Responses
chevron-right
200

Successful Response

application/json
tokenstringRequired
post
/v1/auth/callback

hashtag
Callback Preflight

options
Responses
chevron-right
200

Successful Response

application/json
anyOptional
options
/v1/auth/callback
200

Successful Response

No content

hashtag
Get Me

get

Get current user context with org/team/project names and profile info.

Performance optimized: All data is embedded in JWT during login. No database queries are made - this endpoint is lightning fast.

Returns: Current user context with roles, permissions, display names, and profile picture

Header parameters
authorizationany ofOptional
stringOptional
or
nullOptional
X-Atlas-API-Keyany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json

User context with multi-tenant information.

This is embedded in JWT claims and used for authorization.

user_idstringRequired
user_emailstringRequired
user_namestringRequired
org_idstringRequired
team_idstringRequired
project_idany ofOptional
stringOptional
or
nullOptional
org_nameany ofOptional
stringOptional
or
nullOptional
team_nameany ofOptional
stringOptional
or
nullOptional
project_nameany ofOptional
stringOptional
or
nullOptional
user_pictureany ofOptional
stringOptional
or
nullOptional
given_nameany ofOptional
stringOptional
or
nullOptional
family_nameany ofOptional
stringOptional
or
nullOptional
localeany ofOptional
stringOptional
or
nullOptional
email_verifiedbooleanOptionalDefault: false
global_rolestringOptionalDefault: member
team_roleany ofOptional
stringOptional
or
nullOptional
project_roleany ofOptional
stringOptional
or
nullOptional
permissionsstring[]Optional
mfa_verifiedbooleanOptionalDefault: false
device_trustedbooleanOptionalDefault: false
get
/v1/auth/me

hashtag
Switch Context

post

Switch team/project context

DISABLED FOR MULTI-DOMAIN ARCHITECTURE

In a multi-domain setup, each team has its own domain (e.g., team-a.example.com, team-b.example.com). Users should access the team's specific domain directly rather than switching contexts.

To access a different team:

  1. Logout from current domain

  2. Navigate to the target team's domain

  3. Login with that team's context

Args: request: New team_id and/or project_id

Returns: Error indicating team switching is not supported

Header parameters
authorizationany ofOptional
stringOptional
or
nullOptional
X-Atlas-API-Keyany ofOptional
stringOptional
or
nullOptional
Body
team_idany ofOptional
stringOptional
or
nullOptional
project_idany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json

User context with multi-tenant information.

This is embedded in JWT claims and used for authorization.

user_idstringRequired
user_emailstringRequired
user_namestringRequired
org_idstringRequired
team_idstringRequired
project_idany ofOptional
stringOptional
or
nullOptional
org_nameany ofOptional
stringOptional
or
nullOptional
team_nameany ofOptional
stringOptional
or
nullOptional
project_nameany ofOptional
stringOptional
or
nullOptional
user_pictureany ofOptional
stringOptional
or
nullOptional
given_nameany ofOptional
stringOptional
or
nullOptional
family_nameany ofOptional
stringOptional
or
nullOptional
localeany ofOptional
stringOptional
or
nullOptional
email_verifiedbooleanOptionalDefault: false
global_rolestringOptionalDefault: member
team_roleany ofOptional
stringOptional
or
nullOptional
project_roleany ofOptional
stringOptional
or
nullOptional
permissionsstring[]Optional
mfa_verifiedbooleanOptionalDefault: false
device_trustedbooleanOptionalDefault: false
post
/v1/auth/switch-context

hashtag
Refresh Token

post

Refresh access token using refresh token

Args: request: Refresh token

Returns: New access token

Body
refresh_tokenstringRequired
Responses
chevron-right
200

Successful Response

application/json
access_tokenstringRequired
post
/v1/auth/refresh

hashtag
Logout

post

Logout user

Logs logout event for audit trail. In the future, this endpoint can be extended to:

  • Invalidate tokens (token blacklist)

  • Clear server-side sessions

  • Log security events

Args: current_user: Current authenticated user from JWT token

Returns: Success message

Header parameters
authorizationany ofOptional
stringOptional
or
nullOptional
X-Atlas-API-Keyany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
anyOptional
post
/v1/auth/logout
No content

hashtag
Sso Login Page

get

SSO Login Page - Opens in popup, handles entire OAuth flow.

This endpoint renders a login page that:

  1. Shows "Sign in with Google" button

  2. Redirects to Google OAuth

  3. On success, sends token via postMessage to opener window

  4. Closes popup automatically

Usage (Consumer UI):

// Open SSO popup
const popup = window.open(
    'https://auth-guard.run.app/v1/auth/sso?origin=' + encodeURIComponent(window.location.origin),
    'Atlas SSO',
    'width=500,height=600'
);

// Listen for auth result
window.addEventListener('message', (event) => {
    if (event.data.type === 'ATLAS_AUTH_SUCCESS') {
        const { token, user } = event.data;
        localStorage.setItem('auth_token', token);
        // User is logged in!
    }
});

Args: origin: Consumer app origin (e.g., https://myapp.turing.com) team_id: Optional team ID for team-specific login

Returns: HTML login page

Query parameters
originstringRequired

Origin URL of the consumer app (for postMessage)

team_idany ofOptional

Optional team ID for team-specific login

stringOptional
or
nullOptional
project_idany ofOptional

Optional project ID for project-specific login (requires team_id)

stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

text/html
stringOptional
get
/v1/auth/sso

hashtag
Sso Callback

get

SSO Callback - Internal endpoint for OAuth callback.

This endpoint:

  1. Exchanges authorization code for tokens

  2. Creates/updates user in database

  3. Generates JWT

  4. Returns HTML that sends postMessage to opener window

This is called by Google OAuth redirect, not by consumer apps directly.

Query parameters
codestringRequired
statestringRequired
Responses
chevron-right
200

Successful Response

text/html
stringOptional
get
/v1/auth/sso/callback
Previous🔗 HeadersNextUsers

Last updated