Skip to content
Select themeSelect language

POST /api/auth/discover — given a login email, return a per-organization BYO-OIDC start URL if its verified domain maps to an enabled IdP, else `None` (ADR 0031 D2a). ALWAYS 200 and non-enumerating: it never reveals whether an email or account exists. It does NOT call `normalize_email` (which errors on malformed) — the service normalizes and returns `None` for malformed input.

POST
/api/auth/discover
curl --request POST \
--url https://example.com/api/auth/discover \
--header 'Content-Type: application/json' \
--data '{ "email": "example" }'
Media typeapplication/json
object
email
required
string
Examplegenerated
{
"email": "example"
}

SSO redirect URL for the email’s org, or null

Media typeapplication/json
object
sso_redirect

The per-organization BYO-OIDC start URL, or null when the email’s domain maps to no enabled IdP.

string | null
Examplegenerated
{
"sso_redirect": "example"
}

Structured client error

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Structured server error

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}