Xentree Docs
My Xentree
My Xentree
  1. Documentation
  • Documentation
    • Introduction
    • Quickstart
    • Authentication
    • Conversations
    • Knowledge Base
    • Organizations
    • Profile & Analytics
    • Xentree English
    • Xentree Live
    • Skills Connector
    • Integration Tokens
    • API Keys
    • Errors and Limits
  • API Reference
    • Authentication
      • Register a new user
      • Log in and get an access token
      • Refresh an access token
      • Log out the current user
      • Get the current authenticated user
      • Update the current authenticated user
    • Conversations
      • List available AI providers
      • Generate an AI response
      • List conversations for the current user
      • Create a conversation
      • Get messages for a conversation
      • Search indexed user content
    • Knowledge Base
      • Search the knowledge base
    • Organizations
      • List organizations for the current user
      • Create an organization
      • Get organization details
      • Update organization details
      • Delete an organization
      • List organization members
      • Add a member to an organization
      • Update a member's role
      • Comprehensive member update (role, organization, team)
      • Remove a member from an organization
    • Profile & Analytics
      • Get my XP profile
      • Get a user's public profile
      • Get streak status
      • Get weekly XP activity
      • Get learning pulse (365-day heatmap)
      • Get daily quests
      • Get learning time analytics
    • Xentree English
      • List XEL modules with user progress
      • Get XEL module details
      • Submit a learning task response
      • Run AI evaluation for speaking or writing
      • Get the XEL dashboard overview
    • Xentree Live
      • Get remaining Xentree Live quota
      • Start a live session
      • Update an active live session heartbeat
      • End a live session
      • Update the user nickname used in Xentree Live
      • List live transcripts for the current user
      • Save live session transcripts
      • Get a single live transcript
    • Skills Connector
      • List active integrations for the current user
      • Start the Google Calendar OAuth flow
    • Integration Tokens
      • Issue tenant-scoped RS256 integration grant token
      • Verify tenant integration token signature and claims
      • Revoke integration token by token or jti
      • Rotate integration grant and optionally revoke previous token
      • Get tenant active JWKS material for verification
      • Get tenant active integration key fingerprints
      • Admin observability for integration token revocations
    • API Keys
      • List API keys
      • Create an API key
      • Delete an API key
  • Schemas
    • Error
    • TokenResponse
    • UserProfile
    • ChatRequest
    • ChatResponse
    • ConversationCreateRequest
    • ConversationResponse
    • KnowledgeSearchRequest
    • LiveStartSessionRequest
    • LiveSessionResponse
    • LiveQuotaResponse
    • TranscriptTurn
    • SaveLiveTranscriptsRequest
    • OrganizationCreateRequest
    • OrganizationResponse
    • MemberResponse
    • XELModuleSummary
    • XELTaskSubmissionRequest
    • XPProfileResponse
    • PublicXPProfileResponse
    • StreakStatusResponse
    • WeeklyActivityResponse
    • LearningPulseDayEntry
    • LearningPulseResponse
    • QuestItem
    • QuestsResponse
    • LearningTimeAnalyticsResponse
    • APIKeyCreateRequest
    • APIKeyResponse
    • IntegrationGrantRequest
    • IntegrationGrantResponse
    • IntegrationVerifyRequest
    • IntegrationVerifyResponse
    • IntegrationRevokeRequest
    • IntegrationRevokeResponse
    • IntegrationRotateRequest
    • IntegrationRotateResponse
    • IntegrationJWKSResponse
    • IntegrationFingerprintResponse
    • IntegrationTokenRevocationItem
  1. Documentation

Integration Tokens

Integration Tokens provide enterprise-grade, tenant-scoped access grants for embedding Xentree capabilities into external systems.
Tokens are signed with RS256 using per-tenant key pairs. Each grant is short-lived, revocable, and bound to a specific set of scopes and an allowed origin.

Core capabilities#

issue short-lived RS256 integration grants
verify token validity and check JTI revocation status
revoke a token immediately by JTI
rotate a token (revoke old, issue new in one atomic call)
expose the per-tenant JWKS endpoint for third-party verification
retrieve the public key fingerprint for out-of-band key pinning
admin observability of revoked tokens per tenant

Authentication and scopes#

All Integration Token endpoints require bearer or API key auth.
Recommended API key scopes:
integrations:read for verify, jwks, fingerprint
integrations:write for grant, revoke, rotate
The admin revocations endpoint (GET /api/admin/integration-token-revocations) requires bearer auth with admin role.

REST endpoints#

Issue integration grant#

Issue a short-lived RS256-signed JWT for a tenant.
POST /api/integration/grant
Representative request:
{
  "mode": "api",
  "origin": "https://partner.example.com",
  "scopes": ["profile:read", "quota:read"],
  "ttlSeconds": 120
}

Verify integration token#

Check validity and revocation status of an integration JWT.
POST /api/integration/verify

Revoke integration token#

Immediately invalidate a token by adding its JTI to the revocation list.
POST /api/integration/revoke

Rotate integration token#

Revoke an existing token and issue a fresh one atomically.
POST /api/integration/rotate

Tenant JWKS#

Return the active RS256 public key for the tenant in JWK Set format. Use this for third-party signature verification.
GET /api/integration/jwks?tenantId={tenantId}
This endpoint is public — no auth required.

Public key fingerprint#

Return the SHA-256 fingerprint of the tenant's active public key for out-of-band key pinning.
GET /api/integration/fingerprint?tenantId={tenantId}
This endpoint is public — no auth required.

Rate limits#

Grant and rotate operations are rate-limited per tenant per principal. When the limit is exceeded, the API returns 429 Too Many Requests with the following headers:
HeaderDescription
X-RateLimit-LimitMaximum requests allowed in the window
X-RateLimit-RemainingRemaining requests in the current window
X-RateLimit-ResetUnix timestamp when the window resets
Retry-AfterSeconds to wait before retrying

Admin observability#

List revoked integration tokens for a specific tenant. Requires admin bearer token.
GET /api/admin/integration-token-revocations?tenant_id={tenantId}&limit={limit}&offset={offset}
Modified at 2026-04-25 10:43:40
Previous
Skills Connector
Next
API Keys
Built with