Security enhancements to IP Vault and new Gemini 3.1 Flash Live STS model for Convo mode
API Documentation
Runtime API
- POSTRegister a new user
- POSTGenerate password reset code
- POSTValidate password reset code
- POSTChange user password
- POSTValidate account activation code
- POSTUser authentication and sign-in
- POSTAutomatic user signup and authentication
- POSTGenerate Digital Twin instructions from Q&A
- POSTExchange a Pria API key for a JWT
- POSTSubmit a 6-digit MFA code to complete login
- POSTRequest a new MFA code for the current challenge
- POSTAbandon the current MFA challenge (user clicked Cancel)
Administrator API
- POSTRegister a new user
- POSTGenerate password reset code
- POSTValidate password reset code
- POSTChange user password
- POSTValidate account activation code
- POSTUser authentication and sign-in
- POSTAutomatic user signup and authentication
- POSTGenerate Digital Twin instructions from Q&A
- POSTExchange a Pria API key for a JWT
- POSTSubmit a 6-digit MFA code to complete login
- POSTRequest a new MFA code for the current challenge
- POSTAbandon the current MFA challenge (user clicked Cancel)
curl --request POST \
--url https://pria.praxislxp.com/api/auth/api-key-signin \
--header 'x-api-key: <api-key>'{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"profile": {
"_id": "6430736fd62d650040420674",
"email": "integration-bot@praxis-ai.com",
"fname": "Integration",
"lname": "Bot",
"accountType": "admin",
"plan": "pro",
"status": "active",
"credits": 1000,
"creditsUsed": 12,
"institution": {
"_id": "68793ef2a8a4a5eaff36e7ca",
"name": "domain.edu",
"status": "active",
"credits": 500,
"ainame": "Hugo"
}
}
}Exchange a Pria API key for a JWT
Validates the x-api-key header against the hashed key stored on the user record
and returns a regular Pria JWT (token) plus a minimal profile envelope. The
JWT is identical in shape and lifetime to the one issued by POST /api/auth/signin
— every other authenticated endpoint accepts it via Authorization: Bearer <jwt>
or x-access-token: <jwt>.
Important: the API key is NOT a JWT. Sending the raw pria_… key as a
Authorization: Bearer value will fail with Invalid access token jwt malformed
on the bearer-protected endpoints. You must do the exchange here first.
Authentication transport: the API key MUST be sent in the x-api-key header,
not Authorization. The endpoint has no JWT gate — only the key check.
Access gating:
- Key format is enforced:
pria_followed by 40 hex chars (/^pria_[0-9a-f]{40}$/). A malformed key returns 401, not 400. - Lookup uses the 9-char prefix for indexing, then verifies the full SHA-256 hash.
- Only users with
accountTypeofadminorsuper(andstatus !== 'deleted') can mint a JWT. Demoting a user immediately disables their key.
Rate limiting: 100 requests per minute per IP (the shared auth limiter).
curl --request POST \
--url https://pria.praxislxp.com/api/auth/api-key-signin \
--header 'x-api-key: <api-key>'{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"profile": {
"_id": "6430736fd62d650040420674",
"email": "integration-bot@praxis-ai.com",
"fname": "Integration",
"lname": "Bot",
"accountType": "admin",
"plan": "pro",
"status": "active",
"credits": 1000,
"creditsUsed": 12,
"institution": {
"_id": "68793ef2a8a4a5eaff36e7ca",
"name": "domain.edu",
"status": "active",
"credits": 500,
"ainame": "Hugo"
}
}
}Documentation Index
Fetch the complete documentation index at: https://docs.praxis-ai.com/llms.txt
Use this file to discover all available pages before exploring further.
Authorizations
Long-lived Pria API key (format pria_<40 hex chars>) used to obtain a JWT via
POST /api/auth/api-key-signin. Only valid on the api-key-signin endpoint —
every other admin/user endpoint expects the JWT issued by that exchange (sent as
Authorization: Bearer <jwt> or x-access-token: <jwt>).
Headers
Pria API key (pria_ + 40 hex chars). Provisioned by an admin via the admin UI.
^pria_[0-9a-f]{40}$Response
Key accepted — JWT and minimal profile returned.
JWT signed for the API-key-bound user. Use it in subsequent calls via
Authorization: Bearer <token> or the x-access-token header. Token TTL
matches the normal signin flow (6 hours by default, configurable via
JWT_VALIDITY_SEC).
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
Minimal profile envelope tailored for SDK / integration consumers. Smaller than the regular signin profile — see properties below.
Show child attributes
Show child attributes
Was this page helpful?