POST /v1/companies
Creates a new company tenant. Generates an Ed25519 key pair, an empty attestation chain, and a bootstrap API key. No authentication required. Returns 409 if a company with this companyId already exists.
Also available as POST /v1/setup — identical behavior, kept for backward compatibility.
Request body
Response 201
Error responses
Example
GET /v1/company
Returns the authenticated company’s own record. Useful for validating an API key and retrieving metadata. Requires authentication.
Response 200
Example
POST /v1/recover-key
Emergency key recovery. Returns the first API key created for a company. Localhost-only — remote callers receive 403. No authentication required.
This endpoint is a safety hatch for when you lose your API key. In production, restrict access to it at the network level (firewall, VPC) rather than relying solely on the IP check.
Request body
Response 200
Error responses
Example
POST /v1/companies/svid
Issues a JWT-SVID for the authenticated company’s identity. The resulting token is used as the subject_token in a full RFC 8693 token exchange. Requires authentication.