LynceaAPI

Refresh session

Reads the refresh token from the HTTP-only cookie. The active tenant is taken from the persisted refresh-token row (audit F-002 / ASVS V3.5.1) — the `X-Tenant-Id` header is consulted only as a defence-in-depth equality check; switching tenants is the `/auth/switch-tenant` endpoint's job. Replay detection clears the client cookie.

POST
/api/v1/auth/refresh

Response Body

application/json

curl -X POST "https://api.monitoring.crahe-arthur.com/api/v1/auth/refresh"
{
  "accessToken": "eyJhbGciOi...",
  "user": {
    "id": "018f7b9a-57dd-4748-9e13-6e3e3e5b9eaf",
    "email": "admin@acme.example",
    "fullName": "Arthur Crahé"
  },
  "tenant": {
    "id": "018f7b9a-6f8d-4c1d-8d72-1bbecdadc101",
    "slug": "acme-monitoring",
    "orgRole": "owner"
  }
}

Login

Valid credentials return a tenant-scoped access token and rotate the refresh-token cookie. When `tenantId` is omitted, the service selects the user's most recent membership.

Logout

Next Page