Skip to main content

POST /v1/companies

Creates a new company tenant. Generates an Ed25519 key pair, an empty attestation chain, and a bootstrap API key. No authentication required. Returns 409 if a company with this companyId already exists. Also available as POST /v1/setup — identical behavior, kept for backward compatibility.

Request body

Response 201

Error responses

Example


GET /v1/company

Returns the authenticated company’s own record. Useful for validating an API key and retrieving metadata. Requires authentication.

Response 200

Example


POST /v1/recover-key

Emergency key recovery. Returns the first API key created for a company. Localhost-only — remote callers receive 403. No authentication required. This endpoint is a safety hatch for when you lose your API key. In production, restrict access to it at the network level (firewall, VPC) rather than relying solely on the IP check.

Request body

Response 200

Error responses

Example


POST /v1/companies/svid

Issues a JWT-SVID for the authenticated company’s identity. The resulting token is used as the subject_token in a full RFC 8693 token exchange. Requires authentication.

Response 200

Example