End-User API

The End-User API powers the Aurion mobile app and web widget. It provides authentication, ticket management, and voice call access for end-users (requesters/contacts) — separate from the admin API key authentication.

Authentication

End-users authenticate with JWT tokens (not API keys). The authentication flow supports multiple methods.

SSO Authentication

For tenants with tenant-configured SSO (Azure AD, Google, Okta):

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/sso" \
  -H "Content-Type: application/json" \
  -d '{
    "provider": "azure_ad",
    "id_token": "eyJhbGciOiJSUz...",
    "tenant_slug": "acme-corp",
    "platform": "ios"
  }'

platform is required and must be one of ios, android, web_widget, or help_center. The optional device_id and device_name fields are also accepted (see Device fields).

Response (200 OK):

{
  "access_token": "eyJhbGciOi...",
  "refresh_token": "rt_abc123...",
  "token_type": "Bearer",
  "expires_in": 3600,
  "requester": {
    "requester_id": "req_456",
    "email": "jane@example.com",
    "full_name": "Jane Smith",
    "tenant_id": "acme-corp"
  },
  "user": {
    "requester_id": "req_456",
    "email": "jane@example.com",
    "full_name": "Jane Smith",
    "tenant_id": "acme-corp"
  }
}

The requester object is the primary identity payload; user is a duplicate kept for backward compatibility with older clients — prefer requester.

Supported SSO Providers:

Provider	Value
Azure AD	`azure_ad`
Google	`google`
Okta	`okta`

Microsoft sign-in is handled by the separate platform /login/microsoft flow below — azure_ad is the Microsoft path for tenant-configured SSO on this endpoint.

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/login" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "jane@example.com",
    "password": "user_password",
    "tenant_slug": "acme-corp",
    "platform": "ios"
  }'

platform is required (ios | android | web_widget | help_center); device_id and device_name are optional. The response matches the SSO AuthTokenResponse shape above.

Magic Link

Request a passwordless login link via email:

Request magic link

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/magic-link" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "jane@example.com",
    "tenant_slug": "acme-corp"
  }'

Verify magic link

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/magic-link/verify" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "ml_token_from_email",
    "tenant_slug": "acme-corp",
    "platform": "ios"
  }'

The verify step requires token, tenant_slug, and platform (ios | android | web_widget | help_center); device_id and device_name are optional. It returns the same AuthTokenResponse shape as SSO.

Refresh Token

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/refresh" \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "rt_abc123..."
  }'

Logout

Revoke the current session:

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/logout" \
  -H "Authorization: Bearer eyJhbGciOi..."

Returns 204 No Content on success.

Set Password

Set or update the end-user's password (requires a valid JWT):

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/set-password" \
  -H "Authorization: Bearer eyJhbGciOi..." \
  -H "Content-Type: application/json" \
  -d '{
    "new_password": "NewSecure1Pass"
  }'

Password must be at least 8 characters and contain an uppercase letter, a lowercase letter, and a digit.

Platform-level Google authentication for end-users. If the user matches multiple tenants, the response includes a tenant list for selection.

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/login/google" \
  -H "Content-Type: application/json" \
  -d '{
    "id_token": "eyJhbGciOiJSUz...",
    "platform": "ios"
  }'

The body requires id_token and platform (ios | android | web_widget | help_center); device_id and device_name are optional.

When the account matches more than one tenant, the response asks the client to pick one:

{
  "requires_tenant_selection": true,
  "tenants": [
    { "tenant_slug": "acme-corp", "tenant_name": "Acme Corp" },
    { "tenant_slug": "globex", "tenant_name": "Globex" }
  ]
}

When the account maps to exactly one tenant, the same response carries requires_tenant_selection: false plus the full token payload (tenant_slug, access_token, refresh_token, token_type, expires_in, requester, user).

If requires_tenant_selection is true, read tenants[].tenant_slug and call the tenant selection endpoint:

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/login/google/select-tenant" \
  -H "Content-Type: application/json" \
  -d '{
    "id_token": "eyJhbGciOiJSUz...",
    "tenant_slug": "acme-corp",
    "platform": "ios"
  }'

Platform-level Microsoft authentication for end-users. Same multi-tenant flow as Google.

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/login/microsoft" \
  -H "Content-Type: application/json" \
  -d '{
    "id_token": "eyJhbGciOiJSUz...",
    "platform": "android"
  }'

If requires_tenant_selection is true, call the tenant selection endpoint:

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/login/microsoft/select-tenant" \
  -H "Content-Type: application/json" \
  -d '{
    "id_token": "eyJhbGciOiJSUz...",
    "tenant_slug": "acme-corp",
    "platform": "android"
  }'

Device fields

SsoLoginRequest, EmailLoginRequest, MagicLinkVerifyRequest, and the platform Google/Microsoft login bodies all accept two optional fields used to label the session in the user's device list:

Field	Type	Notes
`device_id`	string	Optional, max 255 chars
`device_name`	string	Optional, max 100 chars

Tenant Resolution

Resolve which tenant a user belongs to from their email domain:

curl -X POST "https://apps.aurionai.net/api/v1/app/auth/resolve" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "jane@example.com"
  }'

SSO Configuration

Get the SSO providers configured for a tenant:

curl "https://apps.aurionai.net/api/v1/app/auth/sso-config?tenant_slug=acme-corp"

Rate Limits

Endpoint	Limit
SSO authenticate	10/minute
Password login	5/minute
Magic link request	3/minute
Magic link verify	10/minute
Refresh token	30/minute
Tenant resolution (`/resolve`)	5/minute
SSO config (`/sso-config`)	20/minute
Google sign-in	10/minute
Microsoft sign-in	10/minute

End-User Tickets

Authenticated end-users can manage their own tickets.

List My Tickets

curl "https://apps.aurionai.net/api/v1/app/tickets?status=open&page=1&per_page=10" \
  -H "Authorization: Bearer eyJhbGciOi..."

Pagination uses page (≥ 1, default 1) and per_page (1–50, default 20). The optional status filter must be one of open, pending, resolved, or closed.

Response:

{
  "tickets": [],
  "total": 0,
  "page": 1,
  "per_page": 10
}

Create Ticket

curl -X POST "https://apps.aurionai.net/api/v1/app/tickets" \
  -H "Authorization: Bearer eyJhbGciOi..." \
  -H "Content-Type: application/json" \
  -d '{
    "subject": "Cannot access email",
    "description": "My Outlook keeps showing a connection error."
  }'

Reply to Ticket

Reply with optional file attachments (max 5 files, 15 MB each). The request is multipart/form-data: body carries the message text (1–5000 chars) and each file is sent under the repeated attachments field:

curl -X POST "https://apps.aurionai.net/api/v1/app/tickets/1042/reply" \
  -H "Authorization: Bearer eyJhbGciOi..." \
  -F "body=Here is a screenshot of the error" \
  -F "attachments=@screenshot.png"

Allowed attachment types: JPEG, PNG, HEIC, PDF, Word (.doc/.docx), Excel (.xlsx), PowerPoint (.pptx), and plain text. Files are verified against their magic-byte signature and scanned for malware.

Reopen Ticket

curl -X POST "https://apps.aurionai.net/api/v1/app/tickets/1042/reopen" \
  -H "Authorization: Bearer eyJhbGciOi..."

End-User Voice

Start a voice call session from the mobile app or widget.

Get Voice Token

Generate a LiveKit participant token for a voice call:

curl -X POST "https://apps.aurionai.net/api/v1/app/voice/token" \
  -H "Authorization: Bearer eyJhbGciOi..."

Response:

{
  "token": "livekit_participant_token",
  "livekit_url": "wss://lk-staging.aurionai.net",
  "room_name": "room_abc123",
  "participant_identity": "app:jane@example.com",
  "pre_authenticated": true,
  "expires_in_seconds": 3600
}

The LiveKit server URL is returned as livekit_url, and the participant identity is app:{email}.

Use this token with the LiveKit Client SDK to join the voice room.

End-User Attachments

Upload Attachment

Upload a file to attach to a ticket:

curl -X POST "https://apps.aurionai.net/api/v1/app/tickets/1042/attachments" \
  -H "Authorization: Bearer eyJhbGciOi..." \
  -F "file=@document.pdf"

All uploads are scanned for malware. Only the allowed content types are accepted; files whose magic-byte signature does not match their declared type are rejected.

Download Attachment

The ticket_id query parameter is required:

curl "https://apps.aurionai.net/api/v1/app/attachments/att_123?ticket_id=1042" \
  -H "Authorization: Bearer eyJhbGciOi..."

Issue a Download Token

For native clients that download files without sending auth headers (e.g. a system download manager), issue a short-lived, single-attachment token. The token is scoped to the attachment_id + ticket_id pair:

curl -X POST "https://apps.aurionai.net/api/v1/app/attachments/att_123/download-token?ticket_id=1042" \
  -H "Authorization: Bearer eyJhbGciOi..."

Response:

{
  "download_token": "eyJhbGciOi...",
  "expires_in": 300
}

Attachment Limits

Limit	Value
Max file size	15 MB
Max files per reply	5
Allowed types	JPEG, PNG, HEIC, PDF, Word, Excel, PowerPoint, plain text
Upload rate limit	10/minute

Uploads are validated against an allowlist of content types (rather than an extension blocklist): each file's declared type must be in the list above, must match its actual magic-byte signature, and must pass a malware scan.

Push Notifications

Native clients can register a push token and read or update notification preferences. All routes require the end-user Bearer JWT.

Register a Push Token

curl -X POST "https://apps.aurionai.net/api/v1/app/push/register" \
  -H "Authorization: Bearer eyJhbGciOi..." \
  -H "Content-Type: application/json" \
  -d '{
    "push_token": "fcm_or_apns_token",
    "platform": "ios"
  }'

platform must be ios or android, and must match the platform the session was created with. Response:

{ "status": "registered" }

Get Notification Preferences

curl "https://apps.aurionai.net/api/v1/app/notification-preferences" \
  -H "Authorization: Bearer eyJhbGciOi..."

Response:

{
  "push_enabled": true,
  "ticket_updates": true,
  "resolution_alerts": true
}

Update Notification Preferences

Send only the fields you want to change:

curl -X PUT "https://apps.aurionai.net/api/v1/app/notification-preferences" \
  -H "Authorization: Bearer eyJhbGciOi..." \
  -H "Content-Type: application/json" \
  -d '{
    "ticket_updates": false
  }'

The response returns the full preferences object (same shape as the GET above).

Voice Widget — Embed voice and chat on your website
Calls & Recordings — Access call data and transcripts
Tickets — Admin ticket management (v1 API)
Conversations — Admin conversation management (v2 API)

Authentication Note

End-user endpoints use JWT Bearer tokens (not API keys). Tokens are issued via the auth endpoints above (/api/v1/app/auth/*). Access tokens expire after 1 hour; use refresh tokens to obtain new ones.

End-User API

On this page