FruxonDocs
UsersAPI Access

List the API key scope vocabulary.

Returns every scope a key can carry (with its resource / action / intent breakdown) plus the named presets the mint endpoint accepts. Powers the dashboard mint flow and the CLI's `fruxon api-key-scopes list` command — clients shouldn't hardcode the vocabulary because that drifts the moment a new scope ships. No scope required: this is metadata anyone who can authenticate must be able to read (you can't mint a scoped key without knowing what scopes exist).

GET
/v1/tenants/{tenant}/tokens/scopes

Authorization

Bearer
AuthorizationBearer <token>

JWT Authorization header using the Bearer scheme. Enter 'Bearer' [space] and then your token.

In: header

Path Parameters

tenant*string

The tenant identifier

Response Body

curl -X GET "https://api.fruxon.com/v1/tenants/string/tokens/scopes"
{
  "scopes": [
    {
      "id": "string",
      "resource": "string",
      "action": "string",
      "intent": "string",
      "label": "string",
      "helper": "string"
    }
  ],
  "resources": [
    {
      "id": "string",
      "label": "string",
      "description": "string",
      "summaryTemplate": "string"
    }
  ],
  "presets": [
    {
      "id": "string",
      "label": "string",
      "tagline": "string",
      "description": "string",
      "intent": "string",
      "scopes": [
        "string"
      ]
    }
  ]
}
{
  "type": "string",
  "title": "string",
  "status": 0,
  "detail": "string",
  "instance": "string",
  "property1": null,
  "property2": null
}
Empty
{
  "type": "string",
  "title": "string",
  "status": 0,
  "detail": "string",
  "instance": "string",
  "property1": null,
  "property2": null
}

Rotate an API key

Mints a replacement key that inherits the original's scopes, name, and type by default, then revokes the original. Pass optional overrides in the request body to narrow / widen scopes, rename the key, or change its lifetime in the same call — fields you omit inherit from the original. The full key secret of the new key is only returned once in this response — store it securely and update wherever the old key was wired.

Verify that the calling credential is valid for this tenant.

Returns a diagnostic snapshot — auth scheme, tenant, user, API key name, granted scopes, and API-key expiry — so a client (e.g. `fruxon doctor`) can distinguish a working key from the various failure modes without touching a real resource: <list type="bullet"><item><b>401</b> — credential is missing or invalid.</item><item><b>403</b> — credential is valid but not bound to this tenant.</item><item><b>200</b> — credential is good; inspect the body for scopes / upcoming expiry.</item></list> Side-effect-free and excluded from rate limiting so the doctor command can run freely.