Skip to main content

API Reference

The Ithbat IAM REST API provides programmatic access to all platform capabilities — user management, authentication flows, RBAC, groups, organizations, audit logs, and more.

Base URL

All API requests target the versioned base path:

https://api.ithbat.io/api/v1/

Regional endpoints are available for data residency requirements:

RegionBase URL
Globalhttps://api.ithbat.io/api/v1/
KSAhttps://api.sa.ithbat.io/api/v1/
Egypthttps://api.eg.ithbat.io/api/v1/

Use the regional endpoint matching your tenant's data residency setting. The tenant's region is set at creation time and cannot be changed.

OAuth endpoints (/oauth/authorize, /oauth/token) are on the root path with no /api/v1 prefix:

https://api.ithbat.io/oauth/authorize
https://api.ithbat.io/oauth/token

Authentication

All protected endpoints require a Bearer JWT access token in the Authorization header:

Authorization: Bearer <access_token>

Obtain an access token by calling POST /api/v1/auth/login. Tokens expire after 3600 seconds. Use POST /api/v1/auth/refresh with your refresh token to obtain a new access token without re-authenticating.

Tenant Context

Multi-tenant requests must include the tenant identifier:

X-Tenant-ID: <tenant_uuid>

Requests without X-Tenant-ID are scoped to the tenant resolved from the authenticated user's JWT.

Request Format

All request bodies must be JSON with the appropriate content type header:

Content-Type: application/json

Example Authenticated Request

curl -X GET "https://api.ithbat.io/api/v1/users/me" \
-H "Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." \
-H "X-Tenant-ID: 3e7a9f12-4b2c-4d8e-a1f0-9c2b3d4e5f6a"

Error Format

Errors return a structured envelope with a machine-readable code:

{
"error": {
"code": "INVALID_CREDENTIALS",
"message": "Email or password is incorrect"
}
}

Validation errors include per-field details:

{
"error": {
"code": "VALIDATION_ERROR",
"message": "Request validation failed",
"details": [
{ "field": "email", "message": "must be a valid email address" },
{ "field": "password", "message": "must be at least 8 characters" }
]
}
}

HTTP Status Codes

CodeMeaning
200Success
201Resource created
400Bad request — malformed JSON or missing required fields
401Unauthorized — missing or invalid access token
403Forbidden — authenticated but insufficient permissions
404Not found — resource does not exist or is not visible to the tenant
409Conflict — resource already exists (duplicate email, etc.)
429Too many requests — rate limit exceeded
500Internal server error

Pagination

List endpoints accept page and limit query parameters:

ParameterTypeDefaultDescription
pageinteger1Page number, 1-indexed
limitinteger25Results per page

Example:

curl "https://api.ithbat.io/api/v1/users?page=2&limit=50" \
-H "Authorization: Bearer <token>" \
-H "X-Tenant-ID: <tenant_id>"

Rate Limiting

Sensitive endpoints (login, password reset, MFA verification) are rate limited per IP. When the limit is exceeded the API returns HTTP 429.

Versioning

The current API version is v1. The version is part of the URL path: /api/v1/. Breaking changes will be introduced in a new version with a deprecation notice and migration window.

Common Error Codes

CodeDescription
INVALID_CREDENTIALSEmail or password is incorrect
ACCOUNT_SUSPENDEDUser account has been suspended
ACCOUNT_NOT_VERIFIEDEmail address has not been verified
MFA_REQUIREDMFA verification is required to continue
TOKEN_EXPIREDAccess token has expired
TOKEN_INVALIDAccess token is malformed or has been revoked
TENANT_NOT_FOUNDThe specified tenant does not exist
TENANT_SUSPENDEDThe tenant account has been suspended
PERMISSION_DENIEDThe authenticated user lacks the required permission
RESOURCE_NOT_FOUNDThe requested resource does not exist
DUPLICATE_EMAILA user with this email already exists
VALIDATION_ERROROne or more request fields failed validation
RATE_LIMIT_EXCEEDEDToo many requests in the current time window
IP_NOT_WHITELISTEDThe request IP address is not in the tenant's allowlist

Endpoint Summary

Public (no JWT required)

MethodPathDescription
POST/api/v1/auth/loginLogin with email and password
POST/api/v1/auth/registerRegister a new user
POST/api/v1/auth/refreshRefresh access token
POST/api/v1/auth/verify-emailVerify email address
POST/api/v1/auth/resend-verificationResend verification email
POST/api/v1/auth/password-reset/initiateRequest password reset email
POST/api/v1/auth/password-reset/validateValidate reset token
POST/api/v1/auth/password-reset/completeComplete password reset
POST/api/v1/auth/mfa/verifyVerify TOTP during login
POST/api/v1/auth/mfa/verify-backupVerify backup code during login
POST/api/v1/auth/mfa/sms/verifyVerify SMS OTP during login
POST/api/v1/auth/mfa/sms/resendResend SMS OTP during login
POST/api/v1/mfa/webauthn/login/startStart WebAuthn login
POST/api/v1/mfa/webauthn/login/finishFinish WebAuthn login
POST/api/v1/auth/passwordless/startSend magic link
POST/api/v1/auth/passwordless/verifyVerify magic link token
GET/api/v1/auth/social/{provider}/loginInitiate social login
GET/api/v1/auth/social/{provider}/callbackSocial login callback
POST/api/v1/auth/social/exchangeExchange social code for tokens
GET/api/v1/auth/social/providersList enabled social providers
GET/api/v1/auth/saml/{tenant_id}/metadataSAML SP metadata
GET/api/v1/auth/saml/{tenant_id}/loginInitiate SAML login
POST/api/v1/auth/saml/{tenant_id}/acsSAML assertion consumer service
GET/oauth/authorizeOAuth2 authorization endpoint
POST/oauth/tokenOAuth2 token endpoint
GET/.well-known/openid-configurationOIDC discovery document
POST/api/v1/tenants/registerRegister a new tenant
GET/api/v1/regionsList available regions

JWT-protected (self-service)

MethodPathDescription
GET/api/v1/users/meGet own profile
PUT/api/v1/users/meUpdate own profile
POST/api/v1/auth/logoutLogout
POST/api/v1/auth/change-passwordChange own password
GET/api/v1/auth/sessionsList own sessions
DELETE/api/v1/auth/sessions/{id}Revoke a session
DELETE/api/v1/auth/sessionsRevoke all other sessions
POST/api/v1/auth/mfa/setupStart TOTP MFA setup
POST/api/v1/auth/mfa/verify-setupConfirm TOTP MFA setup
POST/api/v1/auth/mfa/disableDisable TOTP MFA
POST/api/v1/auth/mfa/backup-codesRegenerate backup codes
POST/api/v1/auth/mfa/sms/setupStart SMS MFA setup
POST/api/v1/auth/mfa/sms/verify-setupConfirm SMS MFA setup
POST/api/v1/auth/mfa/sms/sendSend SMS OTP
POST/api/v1/auth/mfa/sms/disableDisable SMS MFA
POST/api/v1/mfa/webauthn/register/startStart WebAuthn registration
POST/api/v1/mfa/webauthn/register/finishFinish WebAuthn registration
GET/api/v1/mfa/webauthn/credentialsList WebAuthn credentials
DELETE/api/v1/mfa/webauthn/credentials/{id}Delete WebAuthn credential
GET/api/v1/audit/me/activityGet own audit activity
GET/api/v1/audit/me/loginsGet own login history
GET/api/v1/tenant/featuresGet enabled features for current tenant

JWT-protected (admin — requires permissions)

MethodPathPermission
GET/POST/api/v1/usersuser:read / user:write
GET/PUT/DELETE/api/v1/users/{id}user:read / user:write
POST/api/v1/users/{id}/suspenduser:write
POST/api/v1/users/{id}/reactivateuser:write
POST/api/v1/users/{id}/unlockuser:write
POST/api/v1/users/bulkuser:write
DELETE/api/v1/users/bulkuser:write
POST/DELETE/api/v1/users/{id}/roles, /api/v1/users/{id}/roles/{roleId}role:write
GET/api/v1/users/{id}/permissionsuser:read
GET/api/v1/users/{id}/sessionsuser:read
DELETE/api/v1/users/{id}/sessionsuser:write
GET/POST/api/v1/rolesrole:read / role:write
GET/PUT/DELETE/api/v1/roles/{id}role:read / role:write
GET/api/v1/roles/permissionsrole:read
GET/POST/api/v1/permissionspermission:read / permission:write
GET/PUT/DELETE/api/v1/permissions/{id}permission:read / permission:write
GET/POST/api/v1/groupsgroup:read / group:write
GET/PUT/DELETE/api/v1/groups/{id}group:read / group:write
GET/POST/DELETE/api/v1/groups/{id}/members, /api/v1/groups/{id}/members/{uid}group:read / group:write
GET/POST/DELETE/api/v1/groups/{id}/roles, /api/v1/groups/{id}/roles/{rid}group:read / group:write
GET/POST/api/v1/organizationsorganization:read / organization:write
GET/PUT/DELETE/api/v1/organizations/{id}organization:read / organization:write
GET/POST/DELETE/api/v1/organizations/{id}/membersorganization:read / organization:write
GET/POST/api/v1/invitationsinvitation:read / invitation:write
GET/api/v1/tenants/currenttenant:read
GET/POST/api/v1/tenantstenant:write
GET/PUT/DELETE/api/v1/tenants/{id}tenant:write
GET/POST/api/v1/oauth/admin/clientsoauth:read / oauth:write
GET/PUT/DELETE/api/v1/oauth/admin/clients/{id}oauth:read / oauth:write
GET/api/v1/audit/eventsaudit:read
GET/api/v1/audit/events/{id}audit:read
GET/api/v1/audit/loginsaudit:read
GET/api/v1/audit/users/{userId}/activityaudit:read
GET/api/v1/audit/users/{userId}/loginsaudit:read
GET/api/v1/audit/resources/{type}/{id}/historyaudit:read
GET/api/v1/tenant/settingssettings:read
PATCH/api/v1/tenant/settings/generalsettings:write
PATCH/api/v1/tenant/settings/securitysettings:write
PATCH/api/v1/tenant/settings/brandingsettings:write
GET/PUT/api/v1/tenant/password-policysettings:read / settings:write
GET/PUT/api/v1/tenant/security/ip-whitelistsettings:read / settings:write
POST/DELETE/api/v1/tenant/custom-domainsettings:write
POST/api/v1/tenant/custom-domain/verifysettings:write