Authentication Flows
QNSP supports multiple authentication flows depending on identity type.
Authentication Flows
QNSP supports multiple authentication flows depending on identity type.
User authentication
Password flow
POST /auth/login
{
"email": "user@example.com",
"tenantId": "<tenant_uuid>",
"password": "..."
}
Returns access token + refresh token.
WebAuthn flow
POST /auth/webauthn/authenticate/start— get challenge- Client signs with authenticator
POST /auth/webauthn/authenticate/complete— verify and get tokens
Federated flow (OIDC)
- Redirect to IdP
- IdP callback with code
POST /auth/federation/oidc/callback— exchange for QNSP tokens
Service authentication
Service token flow
POST /auth/service-token
Authorization: Bearer <service-secret>
{
"serviceId": "<uuid>",
"audience": "internal-service"
}
Returns access token only (no refresh).
Token refresh
POST /auth/token/refresh
{
"refreshToken": "<token>"
}
Returns new access token + rotated refresh token.
Organization access (C2)
Request-to-join (public)
Users who are not yet members can request access through edge-gateway:
POST /public/join-requests
{
"tenant": "<tenant_slug_or_uuid>",
"email": "user@company.com",
"requestedRole": "Developer"
}
Invite acceptance (password reset)
Invites are implemented as a locked user created in auth-service, followed by a password reset email.
POST /auth/forgot-passwordsends reset emailPOST /auth/reset-passwordsets the new password
On first successful reset, auth-service activates invited users:
locked→active