Create Session Token

curl -X POST http://localhost:8001/tokens/session \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "parent_jti": "c1d2e3f4-a5b6-7890-cdef-1234567890ab",
    "parent_type": "agent",
    "session_id": "session-2026-03-01-abc",
    "max_events": 1000,
    "ttl_minutes": 60
  }'

{
  "token": "qt_session_eyJhbGciOiJFUzI1NiIs...",
  "jti": "e3f4a5b6-c7d8-9012-ef01-345678901bcd",
  "session_id": "session-2026-03-01-abc",
  "max_events": 1000,
  "expires_at": "2026-03-01T01:00:00Z"
}

POST

http://localhost:8001

tokens

session

curl -X POST http://localhost:8001/tokens/session \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "parent_jti": "c1d2e3f4-a5b6-7890-cdef-1234567890ab",
    "parent_type": "agent",
    "session_id": "session-2026-03-01-abc",
    "max_events": 1000,
    "ttl_minutes": 60
  }'

{
  "token": "qt_session_eyJhbGciOiJFUzI1NiIs...",
  "jti": "e3f4a5b6-c7d8-9012-ef01-345678901bcd",
  "session_id": "session-2026-03-01-abc",
  "max_events": 1000,
  "expires_at": "2026-03-01T01:00:00Z"
}

The auth service is deployed on a private network. All endpoints except /health are internal management-plane operations.

Request Body

customer_id

string

required

UUID of the customer.

parent_jti

string

required

JTI of the parent agent or subagent token.

parent_type

string

required

Type of the parent token. Accepted values: agent, subagent.

session_id

string

required

Unique session identifier (e.g., session-2026-03-01-abc).

max_events

integer

default:"1000"

Maximum number of events this session can process. Exceeding this limit returns a 429 error.

ttl_minutes

integer

Time-to-live in minutes. Defaults to 60.

Response

token

string

The session token string, prefixed with qt_session_. This is an ES256-signed JWT.

jti

string

Unique token identifier.

session_id

string

The session identifier echoed back.

max_events

integer

The maximum event count for this session.

expires_at

datetime

ISO 8601 expiration timestamp.

curl -X POST http://localhost:8001/tokens/session \
  -H "Content-Type: application/json" \
  -d '{
    "customer_id": "550e8400-e29b-41d4-a716-446655440000",
    "parent_jti": "c1d2e3f4-a5b6-7890-cdef-1234567890ab",
    "parent_type": "agent",
    "session_id": "session-2026-03-01-abc",
    "max_events": 1000,
    "ttl_minutes": 60
  }'

{
  "token": "qt_session_eyJhbGciOiJFUzI1NiIs...",
  "jti": "e3f4a5b6-c7d8-9012-ef01-345678901bcd",
  "session_id": "session-2026-03-01-abc",
  "max_events": 1000,
  "expires_at": "2026-03-01T01:00:00Z"
}

Create Subagent Token Create Override Token

⌘I

Auth Service

Auth Endpoints — Tokens

Auth Endpoints — Keys

Auth Endpoints — Revocation

Auth Endpoints — Webhooks & Overrides

Create Session Token

Request Body

Response

Auth Service

Auth Endpoints — Tokens

Auth Endpoints — Keys

Auth Endpoints — Revocation

Auth Endpoints — Webhooks & Overrides

​Request Body

​Response

Request Body

Response