# Documentation

- [Vue d'ensemble](/fr/docs): Plateforme SaaS multi-tenant pour collecter et stocker les logs de vos services en production.
- [Premiers pas](/fr/docs/getting-started): Créer un projet, générer une clé d'API et envoyer un premier log en moins de cinq minutes.
- [Référence ingestion](/fr/docs/ingestion): Format du payload OTLP/JSON, codes d'erreur HTTP, comportement de retry attendu et limites de l'endpoint POST /v1/logs.
- [Environnements de projet](/fr/docs/environments): Configurez les environnements de déploiement acceptés par votre projet et comprenez comment Lyncea route chaque log vers le bon.
- [Plans](/fr/docs/plans): Quotas, rétention et capacité d'ingestion pour chaque plan Lyncea, et comment basculer de l'un à l'autre.
- API
  - Authentication
    - [Register tenant](/fr/docs/api/authentication/AuthController_register): Creates the user and an owner-scoped tenant in a single transaction. The tenant display name mirrors `fullName`; the URL slug is derived from it server-side and a random suffix is appended on collision (the user never picks one). Owners can rename the tenant later from the settings.
    - [Login](/fr/docs/api/authentication/AuthController_login): Valid credentials return a tenant-scoped access token and
rotate the refresh-token cookie. When `tenantId` is omitted, the
service selects the user's most recent membership.
    - [Refresh session](/fr/docs/api/authentication/AuthController_refresh): Reads the refresh token from the HTTP-only cookie. The
active tenant is taken from the persisted refresh-token row (audit
F-002 / ASVS V3.5.1) — the `X-Tenant-Id` header is consulted only
as a defence-in-depth equality check; switching tenants is the
`/auth/switch-tenant` endpoint's job. Replay detection clears the
client cookie.
    - [Logout](/fr/docs/api/authentication/AuthController_logout)
    - [Get current user](/fr/docs/api/authentication/AuthController_me): Reads `users` on every call so that an email change is
reflected without forcing a session refresh. The handler is
intentionally tenant-agnostic — `users` is global per ADR 0008.
    - [Update profile](/fr/docs/api/authentication/AuthController_updateMe): Only `fullName` is editable here. Email and password live on
dedicated flows (separate audit and rate-limit concerns).
    - [List my tenants](/fr/docs/api/authentication/AuthController_meTenants): Returns the tenants the authenticated user can switch to,
including the role held in each tenant.
    - [Switch tenant](/fr/docs/api/authentication/AuthController_switchTenant): Verifies the user belongs to the target tenant, then
issues a new tenant-scoped access token and refresh cookie.
  - Tenants
    - [Get current tenant](/fr/docs/api/tenants/TenantMeController_me): Returns the tenant metadata, the caller's tenant role, and
the retention cap derived from the current plan.
  - Projects
    - [List projects](/fr/docs/api/projects/ProjectsController_list): Returns every project visible to the authenticated tenant
member. Tenant scope is taken from the JWT context, never from the
request body or query string.
    - [Create project](/fr/docs/api/projects/ProjectsController_create): Requires an owner or admin tenant role. The requested
retention is checked against the active tenant plan by the service.
    - [Get my project role](/fr/docs/api/projects/ProjectsController_myRole): Resolves the role with the same `org→admin` derivation as
`RolesGuard`. Returns `{ role: null }` when the user is neither a
project member nor an org owner/admin. Cross-tenant probes return
404 (existence-leak prevention).
    - [Get project](/fr/docs/api/projects/ProjectsController_findOne): Returns 404 when the project does not exist in the active
tenant, including cross-tenant ids.
    - [Update project](/fr/docs/api/projects/ProjectsController_update): Requires project admin access. Only mutable project
settings can be changed; the tenant scope remains derived from the
authenticated request context.
  - API Keys
    - [List API keys](/fr/docs/api/api-keys/ApiKeysController_list): Returns key metadata only. Plaintext secrets and digests
are never exposed after creation.
    - [Create API key](/fr/docs/api/api-keys/ApiKeysController_create): Requires project admin access. The plaintext API key is
returned exactly once in this response and is not stored by the API.
    - [Revoke API key](/fr/docs/api/api-keys/ApiKeysController_revoke): Requires project admin access. Cache deletion failures
surface as 503 so callers retry instead of assuming the key is no
longer usable.
  - Tenant Members
    - [List members](/fr/docs/api/tenant-members/MembershipsController_list)
    - [Invite member](/fr/docs/api/tenant-members/MembershipsController_invite)
    - [Update member role](/fr/docs/api/tenant-members/MembershipsController_updateRole)
    - [Remove member](/fr/docs/api/tenant-members/MembershipsController_remove)
    - [List invitations](/fr/docs/api/tenant-members/MembershipsController_listInvitations)
    - [Revoke invitation](/fr/docs/api/tenant-members/MembershipsController_revokeInvitation)
  - Project Members
    - [List members](/fr/docs/api/project-members/ProjectMembersController_list)
    - [Add member](/fr/docs/api/project-members/ProjectMembersController_add)
    - [Update member role](/fr/docs/api/project-members/ProjectMembersController_updateRole)
    - [Remove member](/fr/docs/api/project-members/ProjectMembersController_remove)
  - Invitations
    - [List my invitations](/fr/docs/api/invitations/MyInvitationsController_list)
    - [Accept invitation](/fr/docs/api/invitations/MyInvitationsController_accept)
    - [Decline invitation](/fr/docs/api/invitations/MyInvitationsController_decline)
  - Ingestion
    - [Send logs](/fr/docs/api/ingestion/IngestionController_ingest): OpenTelemetry Protocol (OTLP) over HTTP — logs signal. Path follows the
OTLP/HTTP spec literally (`/v1/logs`, no `/api/` prefix).

**Authentication** : pass an API key with scope `write:logs` as
`Authorization: Bearer lyn_live_xxx` (or `lyn_test_xxx`). API keys are
created via `POST /api/v1/projects/{projectId}/api-keys`.

**Body** : OTLP `ExportLogsServiceRequest` payload. Both `application/x-protobuf`
(default for OTel SDKs and the OTel Collector) and `application/json` are
accepted. `Content-Encoding: gzip` and `deflate` are decoded transparently.

**Limits** : raw body 4 MiB ; decompressed body 16 MiB. Per-API-key and
per-tenant token-bucket rate limit applied (see plan EPS quota).

**v1 contract** : full-success only — the API never reports per-record
rejects. Any record that fails normalization downstream goes to the DLQ
asynchronously (Kafka `logs.dlq`).
  - Logs
    - [List logs (paginated + filterable)](/fr/docs/api/logs/LogsController_list)
    - [Get a single log by id](/fr/docs/api/logs/LogsController_getOne)
    - [Live tail logs (SSE)](/fr/docs/api/logs/LogsStreamController_stream)
  - Dashboard
    - [Dashboard summary (trailing 24h)](/fr/docs/api/dashboard/DashboardController_summary)

# Documentation

- [Overview](/en/docs): Multi-tenant SaaS platform to collect and store logs from your production services.
- [Getting started](/en/docs/getting-started): Create a project, mint an API key and send your first log in under five minutes.
- [Ingestion reference](/en/docs/ingestion): OTLP/JSON payload shape, HTTP error codes, expected client retry behaviour and limits for the POST /v1/logs endpoint.
- [Project environments](/en/docs/environments): Configure which deployment environments your project accepts and learn how Lyncea routes each log to the right one.
- [Plans](/en/docs/plans): Quotas, retention and ingestion capacity for each Lyncea plan, and how to move between them.
- API
  - Authentication
    - [Register tenant](/en/docs/api/authentication/AuthController_register): Creates the user and an owner-scoped tenant in a single transaction. The tenant display name mirrors `fullName`; the URL slug is derived from it server-side and a random suffix is appended on collision (the user never picks one). Owners can rename the tenant later from the settings.
    - [Login](/en/docs/api/authentication/AuthController_login): Valid credentials return a tenant-scoped access token and
rotate the refresh-token cookie. When `tenantId` is omitted, the
service selects the user's most recent membership.
    - [Refresh session](/en/docs/api/authentication/AuthController_refresh): Reads the refresh token from the HTTP-only cookie. The
active tenant is taken from the persisted refresh-token row (audit
F-002 / ASVS V3.5.1) — the `X-Tenant-Id` header is consulted only
as a defence-in-depth equality check; switching tenants is the
`/auth/switch-tenant` endpoint's job. Replay detection clears the
client cookie.
    - [Logout](/en/docs/api/authentication/AuthController_logout)
    - [Get current user](/en/docs/api/authentication/AuthController_me): Reads `users` on every call so that an email change is
reflected without forcing a session refresh. The handler is
intentionally tenant-agnostic — `users` is global per ADR 0008.
    - [Update profile](/en/docs/api/authentication/AuthController_updateMe): Only `fullName` is editable here. Email and password live on
dedicated flows (separate audit and rate-limit concerns).
    - [List my tenants](/en/docs/api/authentication/AuthController_meTenants): Returns the tenants the authenticated user can switch to,
including the role held in each tenant.
    - [Switch tenant](/en/docs/api/authentication/AuthController_switchTenant): Verifies the user belongs to the target tenant, then
issues a new tenant-scoped access token and refresh cookie.
  - Tenants
    - [Get current tenant](/en/docs/api/tenants/TenantMeController_me): Returns the tenant metadata, the caller's tenant role, and
the retention cap derived from the current plan.
  - Projects
    - [List projects](/en/docs/api/projects/ProjectsController_list): Returns every project visible to the authenticated tenant
member. Tenant scope is taken from the JWT context, never from the
request body or query string.
    - [Create project](/en/docs/api/projects/ProjectsController_create): Requires an owner or admin tenant role. The requested
retention is checked against the active tenant plan by the service.
    - [Get my project role](/en/docs/api/projects/ProjectsController_myRole): Resolves the role with the same `org→admin` derivation as
`RolesGuard`. Returns `{ role: null }` when the user is neither a
project member nor an org owner/admin. Cross-tenant probes return
404 (existence-leak prevention).
    - [Get project](/en/docs/api/projects/ProjectsController_findOne): Returns 404 when the project does not exist in the active
tenant, including cross-tenant ids.
    - [Update project](/en/docs/api/projects/ProjectsController_update): Requires project admin access. Only mutable project
settings can be changed; the tenant scope remains derived from the
authenticated request context.
  - API Keys
    - [List API keys](/en/docs/api/api-keys/ApiKeysController_list): Returns key metadata only. Plaintext secrets and digests
are never exposed after creation.
    - [Create API key](/en/docs/api/api-keys/ApiKeysController_create): Requires project admin access. The plaintext API key is
returned exactly once in this response and is not stored by the API.
    - [Revoke API key](/en/docs/api/api-keys/ApiKeysController_revoke): Requires project admin access. Cache deletion failures
surface as 503 so callers retry instead of assuming the key is no
longer usable.
  - Tenant Members
    - [List members](/en/docs/api/tenant-members/MembershipsController_list)
    - [Invite member](/en/docs/api/tenant-members/MembershipsController_invite)
    - [Update member role](/en/docs/api/tenant-members/MembershipsController_updateRole)
    - [Remove member](/en/docs/api/tenant-members/MembershipsController_remove)
    - [List invitations](/en/docs/api/tenant-members/MembershipsController_listInvitations)
    - [Revoke invitation](/en/docs/api/tenant-members/MembershipsController_revokeInvitation)
  - Project Members
    - [List members](/en/docs/api/project-members/ProjectMembersController_list)
    - [Add member](/en/docs/api/project-members/ProjectMembersController_add)
    - [Update member role](/en/docs/api/project-members/ProjectMembersController_updateRole)
    - [Remove member](/en/docs/api/project-members/ProjectMembersController_remove)
  - Invitations
    - [List my invitations](/en/docs/api/invitations/MyInvitationsController_list)
    - [Accept invitation](/en/docs/api/invitations/MyInvitationsController_accept)
    - [Decline invitation](/en/docs/api/invitations/MyInvitationsController_decline)
  - Ingestion
    - [Send logs](/en/docs/api/ingestion/IngestionController_ingest): OpenTelemetry Protocol (OTLP) over HTTP — logs signal. Path follows the
OTLP/HTTP spec literally (`/v1/logs`, no `/api/` prefix).

**Authentication** : pass an API key with scope `write:logs` as
`Authorization: Bearer lyn_live_xxx` (or `lyn_test_xxx`). API keys are
created via `POST /api/v1/projects/{projectId}/api-keys`.

**Body** : OTLP `ExportLogsServiceRequest` payload. Both `application/x-protobuf`
(default for OTel SDKs and the OTel Collector) and `application/json` are
accepted. `Content-Encoding: gzip` and `deflate` are decoded transparently.

**Limits** : raw body 4 MiB ; decompressed body 16 MiB. Per-API-key and
per-tenant token-bucket rate limit applied (see plan EPS quota).

**v1 contract** : full-success only — the API never reports per-record
rejects. Any record that fails normalization downstream goes to the DLQ
asynchronously (Kafka `logs.dlq`).
  - Logs
    - [List logs (paginated + filterable)](/en/docs/api/logs/LogsController_list)
    - [Get a single log by id](/en/docs/api/logs/LogsController_getOne)
    - [Live tail logs (SSE)](/en/docs/api/logs/LogsStreamController_stream)
  - Dashboard
    - [Dashboard summary (trailing 24h)](/en/docs/api/dashboard/DashboardController_summary)