Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.tattoo.dev/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

The current TattooAPI runtime supports two auth paths:
  • JWT bearer tokens for user-scoped flows like login, refresh, profile, and API key management
  • API keys for server-to-server usage where a user context is already established

Current Reality

  • POST /auth/register creates a user and returns a success message plus user identity.
  • POST /auth/login returns top-level user and tokens.
  • POST /auth/refresh returns fresh top-level tokens.
  • GET /auth/profile and PUT /auth/profile require auth.
  • GET /api-keys and POST /api-keys require auth and use the standard success wrapper.

JWT Flow

1

Register

Create an account with email, password, name, and optional role metadata.
2

Login

Exchange email and password for access_token and refresh_token.
3

Attach Bearer Token

Send Authorization: Bearer <token> to protected endpoints.
4

Refresh

Use POST /auth/refresh before the access token expires.

API Key Flow

Use a logged-in user to create an API key, then attach it as: 
X-API-Key: YOUR_API_KEY
The API key management endpoints are part of the supported public surface. They are a platform control layer, not a domain object.

Role Notes

The current auth runtime still reflects the legacy role system:
  • Client
  • Artist
  • Studio Owner
  • Studio Manager
These roles are runtime access constructs. The ontology remains the domain source of truth.

Security Guidance

  • Treat the ontology package as canonical for future tool and SDK generation.
  • Treat the current auth flows as the runtime baseline until the contracts are unified.
  • Never assume a legacy verified boolean means the same thing as ontology-level verificationStatus.