Xentree Docs
StatusMy Xentree
StatusMy Xentree
  1. Documentation
  • Documentation
    • Introduction
    • Quickstart
    • Authentication
    • Conversations
    • Knowledge Base
    • Organizations
    • Profile & Analytics
    • Xentree English
    • Xentree Live
    • Skills Connector
    • Integration Tokens
    • API Keys
    • Errors and Limits
  • API Reference
    • Authentication
      • Register a new user
      • Log in and get an access token
      • Refresh an access token
      • Log out the current user
      • Get the current authenticated user
      • Update the current authenticated user
    • Conversations
      • List available AI providers
      • Generate an AI response
      • List conversations for the current user
      • Create a conversation
      • Delete a conversation
      • Get messages for a conversation
      • Start a conversation session
      • Update session activity
      • End a conversation session
      • Get current session status
      • Search indexed user content
      • Search infrastructure status
      • Rebuild search index
      • List notes
      • Create a note
      • Update a note
      • Delete a note
    • Knowledge Base
      • Search the knowledge base
      • List documents
      • Upload document
      • Query knowledge
    • Organizations
      • List organizations for the current user
      • Create an organization
      • Get organization details
      • Update organization details
      • Delete an organization
      • List organization members
      • Add a member to an organization
      • Update a member's role
      • Comprehensive member update (role, organization, team)
      • Remove a member from an organization
    • Profile & Analytics
      • Get my XP profile
      • Get a user's public profile
      • Get streak status
      • Get weekly XP activity
      • Get learning pulse (365-day heatmap)
      • Get daily quests
      • Get learning time analytics
    • Xentree English
      • Start an XEL module
      • Complete an XEL module
      • Regenerate a task variant
      • Get current XPI breakdown
      • Get XPI history
      • Start a learning session
      • End a learning session
      • Save a transcript entry
      • List XEL modules with user progress
      • Get transcripts for a session
      • Get XEL module details
      • Submit a learning task response
      • Run AI evaluation for speaking or writing
      • Get the XEL dashboard overview
    • Xentree Live
      • Get remaining Xentree Live quota
      • Start a live session
      • Update an active live session heartbeat
      • End a live session
      • Update the user nickname used in Xentree Live
      • List live transcripts for the current user
      • Save live session transcripts
      • Get a single live transcript
    • Skills Connector
      • List active integrations for the current user
      • Start the Google Calendar OAuth flow
    • Integration Tokens
      • Issue tenant-scoped RS256 integration grant token
      • Verify tenant integration token signature and claims
      • Revoke integration token by token or jti
      • Rotate integration grant and optionally revoke previous token
      • Get tenant active JWKS material for verification
      • Get tenant active integration key fingerprints
      • Admin observability for integration token revocations
    • API Keys
      • List API keys
      • Create an API key
      • Delete an API key
      • List tenants
    • Health
      • Health check
      • Detailed health check
  • Schemas
    • Error
    • TokenResponse
    • SimpleDetailResponse
    • UserProfile
    • SimpleMessageResponse
    • ChatRequest
    • LogoutResponse
    • ChatResponse
    • ConversationCreateRequest
    • ConversationResponse
    • KnowledgeSearchRequest
    • RagDocument
    • LiveStartSessionRequest
    • LiveSessionResponse
    • RagUploadResponse
    • CoreSearchConversationResult
    • LiveQuotaResponse
    • RagQueryRequest
    • CoreSearchMessageResult
    • RagQueryResponse
    • TranscriptTurn
    • CoreSearchResponse
    • SaveLiveTranscriptsRequest
    • TypesenseReindexRequest
    • IntegrationOut
    • OrganizationCreateRequest
    • OrganizationResponse
    • TypesenseStatusResponse
    • KnowledgeSearchResultItem
    • MemberResponse
    • NoteCreate
    • NoteUpdate
    • KnowledgeSearchResponse
    • XELModuleSummary
    • NoteResponse
    • XELTaskSubmissionRequest
    • CoreConversationSessionStartResponse
    • XPProfileResponse
    • CoreConversationSessionActivityResponse
    • PublicXPProfileResponse
    • CoreConversationSessionEndResponse
    • StreakStatusResponse
    • WeeklyActivityResponse
    • CoreConversationSessionStatusResponse
    • TenantResponse
    • LearningPulseDayEntry
    • LearningPulseResponse
    • QuestItem
    • QuestsResponse
    • LearningTimeAnalyticsResponse
    • APIKeyCreateRequest
    • APIKeyResponse
    • IntegrationGrantRequest
    • IntegrationGrantResponse
    • XELModuleDetail
    • IntegrationVerifyRequest
    • IntegrationVerifyResponse
    • XELTaskSubmissionResponse
    • XELEvaluationResponse
    • IntegrationRevokeRequest
    • XELDashboardResponse
    • IntegrationRevokeResponse
    • IntegrationRotateRequest
    • LiveSessionEndResponse
    • IntegrationRotateResponse
    • LiveSessionHeartbeatResponse
    • IntegrationJWKSResponse
    • LiveNicknameResponse
    • IntegrationFingerprintResponse
    • LiveTranscriptSaveResponse
    • LiveTranscriptListItem
    • IntegrationTokenRevocationItem
    • LiveTranscriptListResponse
    • LiveTranscriptDetailResponse
    • XELModuleStartResponse
    • XELModuleCompleteResponse
    • XELTaskRegenerateRequest
    • XELTaskRegenerateResponse
    • XELXpiResponse
    • XELXpiHistoryItem
    • XELSessionStartRequest
    • XELSessionStartResponse
    • XELSessionEndRequest
    • XELSessionEndResponse
    • XELTranscriptSaveRequest
    • XELTranscriptSaveResponse
    • XELTranscriptItem
  1. Documentation

Authentication

Xentree supports two authentication methods for protected endpoints:
Bearer token for user-session requests
X-API-Key for server-to-server integration requests

Supported auth flow#

Access token#

Use the access token in the Authorization header:

API key#

Use API key in the X-API-Key header:
API keys are scope-based. Recommended scopes:
conversations:read, conversations:write
rag:read, rag:write
quiz:read, quiz:write
live:read, live:write
organizations:read, organizations:write
integrations:read, integrations:write
xel:read, xel:write
api:read, api:write, api:admin
Grant only the scopes needed by your integration. For read-only integrations, use only :read scopes.

Refresh token#

Xentree also supports session refresh via the refresh endpoint.

Main endpoints#

Register#

Create a new user account.
POST /api/auth/register

Login#

Exchange username and password for an access token.
POST /api/auth/token
Content type: application/x-www-form-urlencoded

Refresh session#

Issue a fresh access token.
POST /api/auth/refresh

Logout#

Invalidate the current session.
POST /api/auth/logout

Current user#

Return the authenticated user profile.
GET /api/auth/me
This endpoint is bearer-only.

Update current user profile#

Patch profile-level attributes for the current user.
PATCH /api/auth/me
This endpoint is bearer-only.

Integration token hardening (RS256, tenant-scoped)#

Integration grants are tenant-isolated and signed with tenant key pairs.

Issue grant#

POST /api/integration/grant
Auth: Bearer or X-API-Key (with integrations:write)
Representative request:
{
  "mode": "api",
  "origin": "https://partner.example.com",
  "scopes": ["profile:read", "quota:read"],
  "ttlSeconds": 120
}

Verify grant token#

POST /api/integration/verify
Auth: Bearer or X-API-Key (with integrations:read)
Representative request:
{
  "token": "<integration-jwt>",
  "tenantId": "<tenant-id>"
}

Revoke grant token immediately (JTI revoke list)#

POST /api/integration/revoke
Auth: Bearer or X-API-Key (with integrations:write)
Representative request:
{
  "integrationToken": "<integration-jwt>",
  "reason": "security-incident"
}
Alternative request using JTI:
{
  "tenantId": "<tenant-id>",
  "jti": "<token-jti>",
  "reason": "manual-revoke"
}

Rotate grant and optionally revoke old token#

POST /api/integration/rotate
Auth: Bearer or X-API-Key (with integrations:write)
Representative request:
{
  "mode": "api",
  "origin": "https://partner.example.com",
  "scopes": ["profile:read"],
  "ttlSeconds": 120,
  "revokeIntegrationToken": "<old-integration-jwt>"
}

Public verification metadata#

GET /api/integration/jwks
GET /api/integration/fingerprint
Query params: tenantId

Admin observability (revocation registry)#

GET /api/admin/integration-token-revocations
Common query filters: tenant_id, jti, include_expired, limit

Rate limit response headers#

Integration endpoints emit rate-limit headers on token issuance/verification paths (grant, verify, and rotate):
X-RateLimit-Limit
X-RateLimit-Remaining
X-RateLimit-Reset
Retry-After (present on HTTP 429)
Representative 429 response detail:
{
  "detail": "Rate limit exceeded for grant. Try again in <seconds> seconds."
}

Example login request#

Common authentication errors#

401 Unauthorized#

Returned when the bearer token or API key is missing, expired, malformed, or invalid.

403 Forbidden#

Returned when a valid principal lacks permission for the requested resource.
For API keys, this can indicate insufficient key scope.
Representative insufficient scope response:
{
  "detail": {
    "error": "INSUFFICIENT_API_KEY_SCOPE",
    "message": "API key lacks required scope for this endpoint",
    "required_scope": "conversations:write",
    "granted_scopes": ["conversations:read"]
  }
}

Best practices#

store tokens securely
store API keys securely and rotate them periodically
always send requests over HTTPS
refresh access tokens before long-running sessions expire
revoke sessions on logout or device disconnect
Modified at 2026-04-29 23:53:59
Previous
Quickstart
Next
Conversations
Built with