POST/api/auth/validate-token

Validate session token

Checks whether the request carries a valid Auth.js session token, either in the session cookie or in an Authorization: Bearer header. A valid token returns the user type and tenant copied from the session JWT. No request body is read.

Header parameters

authorizationstringOptional

Optional Bearer token fallback. The route also accepts the Auth.js session token cookie.

Response body

Success response 200 · schema ValidateTokenSuccessResponse

isValidbooleanRequired

Indicates that the request contains a valid Auth.js session token.

Enum: true

userTypestringRequired

User classification from users.user_type in the session JWT.

Enum: internalclient

tenantstringRequired

Tenant identifier from the session JWT.

Response codes

200

Session token is valid.

401

No valid session token was found.

500

Unexpected token validation error.

POST /api/auth/validate-token

cURL

curl -X POST "https://algapsa.com/api/auth/validate-token" \
  -H "X-API-Key: $ALGA_API_KEY" \
  -H "authorization: string"

TypeScript

const response = await fetch("https://algapsa.com/api/auth/validate-token", {
  method: "POST",
  headers: {
    "X-API-Key": "$ALGA_API_KEY",
    "authorization": "string",
  }
});
const data = await response.json();

using var client = new HttpClient();
using var request = new HttpRequestMessage(HttpMethod.Post, "https://algapsa.com/api/auth/validate-token");
request.Headers.TryAddWithoutValidation("X-API-Key", "$ALGA_API_KEY");
request.Headers.TryAddWithoutValidation("authorization", "string");
var response = await client.SendAsync(request);
var body = await response.Content.ReadAsStringAsync();

200 OK·application/json

{
  "isValid": true,
  "userType": "internal",
  "tenant": "string"
}