{
  "info": {
    "name": "Qeet Id - API",
    "_postman_id": "8f3b6e10-7a3f-4d9c-9a55-qeetid000001",
    "description": "Complete request collection for the qeet-id backend (Go monolith).\n\n## Setup\n\n1. Start the backend: `cd backend && make run` (defaults to `http://localhost:4000`).\n2. Import this collection AND the companion environment (`qeet-id.postman_environment.json`).\n3. Select the **qeet-id (local)** environment in the Postman environment dropdown.\n4. **First time / fresh DB:** run **Auth \u2192 Signup**. It creates a new tenant + user + owner role in one shot and auto-populates `{{tenantId}}`, `{{userId}}`, `{{accessToken}}`, `{{refreshToken}}`. The signup user becomes the tenant admin.\n5. **Returning users:** run **Auth \u2192 Login** with the saved tenant_id + email + password.\n\n## Conventions\n\n- All authed requests inherit a `Bearer {{accessToken}}` header from the collection root.\n- IDs (`{{tenantId}}`, `{{userId}}`, `{{roleId}}`, \u2026) are written back to collection variables by the corresponding `Create` / `Signup` requests, so you can chain them.\n- Routes prefixed `/v1/...` are versioned API surface. Discovery / JWKS live at root (`/.well-known/...`) per the OIDC spec.\n",
    "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
  },
  "auth": {
    "type": "bearer",
    "bearer": [
      {
        "key": "token",
        "value": "{{accessToken}}",
        "type": "string"
      }
    ]
  },
  "event": [
    {
      "listen": "prerequest",
      "script": {
        "type": "text/javascript",
        "exec": [
          "if (!pm.environment.get('baseUrl') && !pm.collectionVariables.get('baseUrl')) {",
          "  throw new Error('baseUrl is not set. Select the qeet-id (local) environment or override --env-var baseUrl=...');",
          "}",
          "",
          "// --- CSRF auto-handler ---------------------------------------------------",
          "// The backend CSRF middleware (httpx/csrf.go) requires non-Bearer mutation",
          "// requests to carry (a) an allow-listed Origin/Referer and (b) a double-",
          "// submit cookie pair (qe_csrf + X-CSRF-Token). Bearer-token traffic skips",
          "// entirely. Postman is not a browser so it sends neither header \u2014 handle",
          "// it transparently here so the public auth routes (signup/login/recovery/",
          "// invite-accept/oauth-token) work out of the box.",
          "(function () {",
          "  const method = (pm.request.method || 'GET').toUpperCase();",
          "  if (method === 'GET' || method === 'HEAD' || method === 'OPTIONS') return;",
          "",
          "  const authHeader = pm.request.headers.get('Authorization') || '';",
          "  if (authHeader.toLowerCase().indexOf('bearer ') === 0) return; // Bearer bypasses CSRF",
          "",
          "  const origin = pm.collectionVariables.get('csrfOrigin') ||",
          "                 pm.environment.get('csrfOrigin') ||",
          "                 'http://localhost:3002';",
          "  if (!pm.request.headers.has('Origin')) {",
          "    pm.request.headers.upsert({ key: 'Origin', value: origin });",
          "  }",
          "",
          "  // If we already have a cached CSRF token from a prior seed, just echo it.",
          "  const cached = pm.collectionVariables.get('_csrfToken');",
          "  if (cached) {",
          "    pm.request.headers.upsert({ key: 'X-CSRF-Token', value: cached });",
          "    return;",
          "  }",
          "",
          "  // Otherwise, seed the cookie by GETting /healthz and extract qe_csrf",
          "  // from Set-Cookie. Postman will wait for this async call before firing",
          "  // the main request.",
          "  const baseUrl = pm.environment.get('baseUrl') || pm.collectionVariables.get('baseUrl');",
          "  pm.sendRequest({ url: baseUrl + '/healthz', method: 'GET' }, function (err, res) {",
          "    if (err || !res) return;",
          "    const setCookies = res.headers.all().filter(function (h) {",
          "      return (h.key || '').toLowerCase() === 'set-cookie';",
          "    });",
          "    for (let i = 0; i < setCookies.length; i++) {",
          "      const m = /qe_csrf=([^;]+)/.exec(setCookies[i].value || '');",
          "      if (m) {",
          "        pm.collectionVariables.set('_csrfToken', m[1]);",
          "        pm.request.headers.upsert({ key: 'X-CSRF-Token', value: m[1] });",
          "        return;",
          "      }",
          "    }",
          "  });",
          "})();"
        ]
      }
    },
    {
      "listen": "test",
      "script": {
        "type": "text/javascript",
        "exec": [
          "// Skip everything if the request errored out (no response, e.g. connection refused).",
          "if (!pm.response || typeof pm.response.code !== 'number') { return; }",
          "// Universal sanity checks. Per-request tests still run.",
          "pm.test('Response under 5s', () => pm.expect(pm.response.responseTime).to.be.below(5000));",
          "// Safety-net token capture: if any response carries access_token / refresh_token,",
          "// keep collection vars in sync. Per-request tests still own the primary capture.",
          "try {",
          "  if (pm.response.code >= 200 && pm.response.code < 300) {",
          "    const ct = pm.response.headers.get('Content-Type') || '';",
          "    if (ct.indexOf('application/json') !== -1) {",
          "      const body = pm.response.json();",
          "      if (body && body.access_token)  pm.collectionVariables.set('accessToken',  body.access_token);",
          "      if (body && body.refresh_token) pm.collectionVariables.set('refreshToken', body.refresh_token);",
          "    }",
          "  }",
          "} catch (e) { /* non-JSON or empty body \u2014 ignore */ }"
        ]
      }
    }
  ],
  "variable": [
    {
      "key": "baseUrl",
      "value": "http://localhost:4000",
      "type": "string"
    },
    {
      "key": "accessToken",
      "value": "",
      "type": "string"
    },
    {
      "key": "refreshToken",
      "value": "",
      "type": "string"
    },
    {
      "key": "tenantId",
      "value": "",
      "type": "string"
    },
    {
      "key": "userId",
      "value": "",
      "type": "string"
    },
    {
      "key": "roleId",
      "value": "",
      "type": "string"
    },
    {
      "key": "permissionId",
      "value": "",
      "type": "string"
    },
    {
      "key": "inviteId",
      "value": "",
      "type": "string"
    },
    {
      "key": "apiKeyId",
      "value": "",
      "type": "string"
    },
    {
      "key": "apiKeyRaw",
      "value": "",
      "type": "string"
    },
    {
      "key": "principalId",
      "value": "",
      "type": "string"
    },
    {
      "key": "principalSecret",
      "value": "",
      "type": "string"
    },
    {
      "key": "oidcClientId",
      "value": "",
      "type": "string"
    },
    {
      "key": "oidcClientSecret",
      "value": "",
      "type": "string"
    },
    {
      "key": "webhookId",
      "value": "",
      "type": "string"
    },
    {
      "key": "groupId",
      "value": "",
      "type": "string"
    },
    {
      "key": "sessionId",
      "value": "",
      "type": "string"
    },
    {
      "key": "passkeyId",
      "value": "",
      "type": "string"
    },
    {
      "key": "socialIdentityId",
      "value": "",
      "type": "string"
    },
    {
      "key": "gdprRequestId",
      "value": "",
      "type": "string"
    },
    {
      "key": "signupEmail",
      "value": "",
      "type": "string"
    },
    {
      "key": "signupPassword",
      "value": "",
      "type": "string"
    },
    {
      "key": "samlConnId",
      "value": ""
    },
    {
      "key": "samlCode",
      "value": ""
    },
    {
      "key": "samlIdpCert",
      "value": "MIIDAzCCAeugAwIBAgIUT01Mucsrde794fhP/XNuqA/IBtowDQYJKoZIhvcNAQELBQAwETEPMA0GA1UEAwwGcG0taWRwMB4XDTI2MDYwMTEzNDYyNFoXDTI3MDYwMTEzNDYyNFowETEPMA0GA1UEAwwGcG0taWRwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwr/0fsg2wiSD9EFdUIwTOKBFpULp4Wa5gG8VkYQP5Zg73zYakbjBmVezbQxKMREQmGaNun7sGmd9olrhrBaWK7oJW+ZDxRMuBoS5/HY0+ZY6rcM91ZkOEhVfbPctNmNYUBb/Lo7OVzCA1wiXjMjxBXPohtAgmflHerhv6q98nAsEWQGZrx0gRk4Ghxl5pZH1MxE0K9hRcLVMHLc8YpsileSFldObKzOILOv2TZtOyBLIGqblGkI1n0ZDNbbG5+3L/z3Wj6csti4wVfBeWVzuE9mxQ1YznvO7Yvz+HAcNqrQ2vzUDwF+MfeZ9W4IwFXidrSZx/cX9pK2s8McQGNX/2wIDAQABo1MwUTAdBgNVHQ4EFgQUqvAXkgFyDJ1+MPHYOsghTRkkeF4wHwYDVR0jBBgwFoAUqvAXkgFyDJ1+MPHYOsghTRkkeF4wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAsV520pygeL5RG5DWLEfXGFc2ciYwyv23EYJlBOBM/3q67NXlJwhgaVhYksAJgd7ruMh7FCzJjDJJzdn+/S7RkBhOyrVaazd/qptmjTFm2JAUpl3Yq2+lhZnDG+hbRRRs4U/EeRahWXZEaaHNiWgDy1LIdSohTNw6tPRBCFe1R2LnjQM09D897h6Fnwf+N3gUzTtZgumg+EamqmGCAtypQois3bzRW+W+wK7n2DfLWJTS4m0wejhPouWsEqloB3BLeE5TzGXlykflkXRvfMXpNppC/Mue7o/KXpHmxEd+2sgn2l+1Yua0OYcXOaozSjaPOlXz9IF2MxmQzh1XdQtytQ=="
    },
    {
      "key": "ldapConnId",
      "value": ""
    },
    {
      "key": "scimToken",
      "value": ""
    },
    {
      "key": "otpFactorId",
      "value": ""
    },
    {
      "key": "secretId",
      "value": ""
    },
    {
      "key": "ipRuleId",
      "value": ""
    },
    {
      "key": "grantId",
      "value": ""
    },
    {
      "key": "emailTemplateKey",
      "value": "verify_email"
    },
    {
      "key": "agentId",
      "value": "",
      "type": "string"
    },
    {
      "key": "agentSecret",
      "value": "",
      "type": "string"
    },
    {
      "key": "agentAccessToken",
      "value": "",
      "type": "string"
    },
    {
      "key": "credentialId",
      "value": "",
      "type": "string"
    },
    {
      "key": "vcJwt",
      "value": "",
      "type": "string"
    },
    {
      "key": "relationTupleId",
      "value": "",
      "type": "string"
    },
    {
      "key": "logSinkId",
      "value": "",
      "type": "string"
    },
    {
      "key": "authHookId",
      "value": "",
      "type": "string"
    },
    {
      "key": "domainId",
      "value": "",
      "type": "string"
    },
    {
      "key": "anomalyId",
      "value": "",
      "type": "string"
    },
    {
      "key": "samlSpId",
      "value": "",
      "type": "string"
    },
    {
      "key": "scimUserId",
      "value": "",
      "type": "string"
    },
    {
      "key": "scimGroupId",
      "value": "",
      "type": "string"
    },
    {
      "key": "deliveryId",
      "value": "",
      "type": "string"
    },
    {
      "key": "secretName",
      "value": "",
      "type": "string"
    },
    {
      "key": "deviceCode",
      "value": "",
      "type": "string"
    },
    {
      "key": "userCode",
      "value": "",
      "type": "string"
    },
    {
      "key": "authRequestId",
      "value": "",
      "type": "string"
    },
    {
      "key": "oidcClientRowId",
      "value": "",
      "type": "string"
    },
    {
      "key": "deviceAuthId",
      "value": "",
      "type": "string"
    },
    {
      "key": "exchangedToken",
      "value": "",
      "type": "string"
    }
  ],
  "item": [
    {
      "name": "Health",
      "item": [
        {
          "name": "Liveness \u2014 GET /healthz",
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/healthz",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "healthz"
              ]
            }
          }
        },
        {
          "name": "Readiness \u2014 GET /readyz",
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/readyz",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "readyz"
              ]
            }
          }
        },
        {
          "name": "Metrics (Prometheus) \u2014 GET /metrics",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/metrics",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "metrics"
              ]
            },
            "description": "Prometheus exposition format. Public, root-level (no /v1)."
          }
        }
      ]
    },
    {
      "name": "OIDC Discovery (public)",
      "item": [
        {
          "name": "OpenID configuration \u2014 GET /.well-known/openid-configuration",
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/.well-known/openid-configuration",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                ".well-known",
                "openid-configuration"
              ]
            }
          }
        },
        {
          "name": "JWKS \u2014 GET /.well-known/jwks.json",
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/.well-known/jwks.json",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                ".well-known",
                "jwks.json"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Auth",
      "item": [
        {
          "name": "Signup \u2014 POST /v1/auth/signup",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('Created', () => pm.expect([200, 201]).to.include(pm.response.code));",
                  "const body = pm.response.json();",
                  "if (body.user_id)              pm.collectionVariables.set('userId',       body.user_id);",
                  "if (body.tenant_id)            pm.collectionVariables.set('tenantId',     body.tenant_id);",
                  "if (body.access_token)         pm.collectionVariables.set('accessToken',  body.access_token);",
                  "if (body.refresh_token)        pm.collectionVariables.set('refreshToken', body.refresh_token);",
                  "console.log('Signed up \u2014 you are now owner of tenant', body.tenant_id);",
                  "// Persist the email/password actually sent so Login can re-use them.",
                  "try {",
                  "  const reqBody = JSON.parse(pm.request.body && pm.request.body.raw || '{}');",
                  "  if (reqBody.email)    pm.collectionVariables.set('signupEmail',    reqBody.email);",
                  "  if (reqBody.password) pm.collectionVariables.set('signupPassword', reqBody.password);",
                  "} catch (e) {}"
                ]
              }
            }
          ],
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"email\": \"jane+{{$timestamp}}@acme.test\",\n  \"password\": \"Password123!\",\n  \"display_name\": \"Jane Doe\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/signup",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "signup"
              ]
            },
            "description": "Public self-service signup. Takes only `{email, password, display_name?}`. In ONE transaction the backend:\n\n1. Generates a personal tenant for the new user (slug like `personal-<12hex>`, name like `\"Jane's workspace\"`).\n2. Creates the user with a password credential.\n3. Creates a system `owner` role for the personal tenant and grants it every platform permission.\n4. Assigns the user to that owner role.\n5. Issues an access + refresh token pair (auto-login).\n\nThe user can rename their workspace or create more from `Tenants \u2192 New tenant`.\n\n**Email is globally unique** \u2014 same address can't sign up twice across the platform.\n\n**Errors:**\n- 409 \u2014 email already in use\n- 422 \u2014 validation failed (password < 8 chars, invalid email, \u2026)"
          }
        },
        {
          "name": "Login \u2014 POST /v1/auth/login",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('Status 200', () => pm.response.to.have.status(200));",
                  "const body = pm.response.json();",
                  "if (body.mfa_required) { pm.collectionVariables.set('mfaToken', body.mfa_token); }",
                  "if (body.access_token)  pm.collectionVariables.set('accessToken',  body.access_token);",
                  "if (body.refresh_token) pm.collectionVariables.set('refreshToken', body.refresh_token);"
                ]
              }
            }
          ],
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"email\": \"{{signupEmail}}\",\n  \"password\": \"{{signupPassword}}\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/login",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "login"
              ]
            }
          }
        },
        {
          "name": "Complete MFA login \u2014 POST /v1/auth/mfa",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('Status 200', () => pm.response.to.have.status(200));",
                  "const body = pm.response.json();",
                  "if (body.access_token)  pm.collectionVariables.set('accessToken',  body.access_token);",
                  "if (body.refresh_token) pm.collectionVariables.set('refreshToken', body.refresh_token);"
                ]
              }
            }
          ],
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"mfa_token\": \"{{mfaToken}}\",\n  \"code\": \"<totp-or-recovery-code>\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/mfa",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "mfa"
              ]
            }
          }
        },
        {
          "name": "Refresh \u2014 POST /v1/auth/refresh",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('Status 200', () => pm.response.to.have.status(200));",
                  "const body = pm.response.json();",
                  "if (body.access_token)  pm.collectionVariables.set('accessToken',  body.access_token);",
                  "if (body.refresh_token) pm.collectionVariables.set('refreshToken', body.refresh_token);"
                ]
              }
            }
          ],
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"refresh_token\": \"{{refreshToken}}\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/refresh",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "refresh"
              ]
            }
          }
        },
        {
          "name": "Me \u2014 GET /v1/auth/me",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/auth/me",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "me"
              ]
            }
          }
        },
        {
          "name": "List sessions \u2014 GET /v1/auth/sessions",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/auth/sessions",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "sessions"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('sessionId', arr[0].id);",
                  "      console.log('captured sessionId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Revoke session \u2014 DELETE /v1/auth/sessions/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/auth/sessions/{{sessionId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "sessions",
                "{{sessionId}}"
              ]
            }
          }
        },
        {
          "name": "Logout \u2014 POST /v1/auth/logout",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/auth/logout",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "logout"
              ]
            }
          }
        },
        {
          "name": "Switch tenant \u2014 POST /v1/auth/switch-tenant",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('Status 200', () => pm.response.to.have.status(200));",
                  "const body = pm.response.json();",
                  "if (body.access_token)  pm.collectionVariables.set('accessToken',  body.access_token);",
                  "if (body.refresh_token) pm.collectionVariables.set('refreshToken', body.refresh_token);",
                  "if (body.tenant_id)     pm.collectionVariables.set('tenantId',     body.tenant_id);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/switch-tenant",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "switch-tenant"
              ]
            }
          }
        },
        {
          "name": "Register (hosted, B2C) \u2014 POST /v1/auth/register",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"email\": \"b2c+{{$timestamp}}@example.com\",\n  \"password\": \"Password123!\",\n  \"display_name\": \"B2C User\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/register",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "register"
              ]
            },
            "description": "Hosted-login end-user self-registration into an existing tenant (B2C)."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));",
                  "const b = pm.response.json();",
                  "if (b.access_token) pm.collectionVariables.set('accessToken', b.access_token);"
                ]
              }
            }
          ]
        },
        {
          "name": "Create SSO session \u2014 POST /v1/auth/session",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"email\": \"{{signupEmail}}\",\n  \"password\": \"{{signupPassword}}\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/session",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "session"
              ]
            },
            "description": "Hosted-login: verifies credentials and sets the HttpOnly SSO cookie (qe_ls). Postman stores the cookie in its jar for subsequent /v1/oauth/authorize calls."
          }
        },
        {
          "name": "Complete SSO session MFA \u2014 POST /v1/auth/session/mfa",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"mfa_token\": \"{{mfaToken}}\",\n  \"code\": \"123456\",\n  \"remember\": true\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/session/mfa",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "session",
                "mfa"
              ]
            },
            "description": "Hosted-login: finish a two-step login and set the SSO cookie."
          }
        },
        {
          "name": "Destroy SSO session (logout) \u2014 DELETE /v1/auth/session",
          "request": {
            "method": "DELETE",
            "header": [],
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/session",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "session"
              ]
            },
            "description": "Hosted-login logout: revoke the SSO session and clear the qe_ls cookie."
          }
        }
      ]
    },
    {
      "name": "Recovery (public)",
      "item": [
        {
          "name": "Forgot password \u2014 POST /v1/auth/forgot-password",
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"email\": \"user@example.com\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/forgot-password",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "forgot-password"
              ]
            }
          }
        },
        {
          "name": "Reset password \u2014 POST /v1/auth/reset-password",
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"token\": \"REPLACE_WITH_RESET_TOKEN\",\n  \"new_password\": \"NewPassword123!\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/reset-password",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "reset-password"
              ]
            }
          }
        },
        {
          "name": "Magic link start \u2014 POST /v1/auth/magic-link/start",
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"email\": \"user@example.com\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/magic-link/start",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "magic-link",
                "start"
              ]
            }
          }
        },
        {
          "name": "Magic link consume \u2014 POST /v1/auth/magic-link/consume",
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"token\": \"REPLACE_WITH_MAGIC_LINK_TOKEN\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/auth/magic-link/consume",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "auth",
                "magic-link",
                "consume"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Tenants",
      "item": [
        {
          "name": "List tenants \u2014 GET /v1/tenants",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('tenantId', arr[0].id);",
                  "      console.log('captured tenantId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Create tenant \u2014 POST /v1/tenants",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.id) pm.collectionVariables.set('tenantId', body.id);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"slug\": \"acme-{{$timestamp}}\",\n  \"name\": \"Acme Corp {{$timestamp}}\",\n  \"plan\": \"free\",\n  \"region\": \"us-east-1\",\n  \"metadata\": {}\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants"
              ]
            }
          }
        },
        {
          "name": "Get tenant \u2014 GET /v1/tenants/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}"
              ]
            }
          }
        },
        {
          "name": "Update tenant \u2014 PATCH /v1/tenants/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"name\": \"Acme Corporation\",\n  \"plan\": \"pro\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}"
              ]
            }
          }
        },
        {
          "name": "Delete tenant \u2014 DELETE /v1/tenants/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Users",
      "item": [
        {
          "name": "List users \u2014 GET /v1/users",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('userId', arr[0].id);",
                  "      console.log('captured userId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Create user \u2014 POST /v1/users",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.id) pm.collectionVariables.set('userId', body.id);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"email\": \"alice+{{$timestamp}}@example.com\",\n  \"password\": \"Password123!\",\n  \"display_name\": \"Alice Adams\",\n  \"phone\": \"+15555550100\",\n  \"metadata\": {}\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/users",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users"
              ]
            }
          }
        },
        {
          "name": "Get user \u2014 GET /v1/users/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}"
              ]
            }
          }
        },
        {
          "name": "Update user \u2014 PATCH /v1/users/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"display_name\": \"Alice A.\",\n  \"status\": \"active\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}"
              ]
            }
          }
        },
        {
          "name": "Delete user \u2014 DELETE /v1/users/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}"
              ]
            }
          }
        },
        {
          "name": "Set password \u2014 POST /v1/users/{id}/password",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"password\": \"NewPassword123!\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/password",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "password"
              ]
            }
          }
        },
        {
          "name": "Admin reset user MFA \u2014 DELETE /v1/users/{id}/mfa",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/mfa",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "mfa"
              ]
            },
            "description": "Admin clears a user's MFA (TOTP/recovery/OTP). Requires user.write; audited as mfa.admin_reset."
          }
        }
      ]
    },
    {
      "name": "Verification",
      "item": [
        {
          "name": "Start email verification \u2014 POST /v1/users/{id}/verify/email/start",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"email\": \"alice@example.com\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/verify/email/start",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "verify",
                "email",
                "start"
              ]
            }
          }
        },
        {
          "name": "Confirm email verification \u2014 POST /v1/users/{id}/verify/email/confirm",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"code\": \"123456\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/verify/email/confirm",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "verify",
                "email",
                "confirm"
              ]
            }
          }
        },
        {
          "name": "Start phone verification \u2014 POST /v1/users/{id}/verify/phone/start",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"phone\": \"+15555550100\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/verify/phone/start",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "verify",
                "phone",
                "start"
              ]
            }
          }
        },
        {
          "name": "Confirm phone verification \u2014 POST /v1/users/{id}/verify/phone/confirm",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"code\": \"123456\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/verify/phone/confirm",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "verify",
                "phone",
                "confirm"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "RBAC",
      "item": [
        {
          "name": "List permissions \u2014 GET /v1/permissions",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/permissions",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "permissions"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('permissionId', arr[0].id);",
                  "      console.log('captured permissionId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "List roles \u2014 GET /v1/tenants/{tenantID}/roles",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/roles",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "roles"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('roleId', arr[0].id);",
                  "      console.log('captured roleId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Create role \u2014 POST /v1/tenants/{tenantID}/roles",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.id) pm.collectionVariables.set('roleId', body.id);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"name\": \"editor-{{$timestamp}}\",\n  \"description\": \"Can edit users and audit\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/roles",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "roles"
              ]
            }
          }
        },
        {
          "name": "Grant permission to role \u2014 POST /v1/roles/{roleID}/permissions/{permID}",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/roles/{{roleId}}/permissions/{{permissionId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "roles",
                "{{roleId}}",
                "permissions",
                "{{permissionId}}"
              ]
            }
          }
        },
        {
          "name": "Revoke permission from role \u2014 DELETE /v1/roles/{roleID}/permissions/{permID}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/roles/{{roleId}}/permissions/{{permissionId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "roles",
                "{{roleId}}",
                "permissions",
                "{{permissionId}}"
              ]
            }
          }
        },
        {
          "name": "Assign role to user \u2014 POST /v1/users/{userID}/tenants/{tenantID}/roles/{roleID}",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/tenants/{{tenantId}}/roles/{{roleId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "tenants",
                "{{tenantId}}",
                "roles",
                "{{roleId}}"
              ]
            }
          }
        },
        {
          "name": "Unassign role from user \u2014 DELETE /v1/users/{userID}/tenants/{tenantID}/roles/{roleID}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/tenants/{{tenantId}}/roles/{{roleId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "tenants",
                "{{tenantId}}",
                "roles",
                "{{roleId}}"
              ]
            }
          }
        },
        {
          "name": "Effective permissions \u2014 GET /v1/users/{userID}/tenants/{tenantID}/permissions",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/tenants/{{tenantId}}/permissions",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "tenants",
                "{{tenantId}}",
                "permissions"
              ]
            }
          }
        },
        {
          "name": "Permission check \u2014 GET /v1/check",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/check?user_id={{userId}}&tenant_id={{tenantId}}&permission=user.read",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "check"
              ],
              "query": [
                {
                  "key": "user_id",
                  "value": "{{userId}}"
                },
                {
                  "key": "tenant_id",
                  "value": "{{tenantId}}"
                },
                {
                  "key": "permission",
                  "value": "user.read"
                }
              ]
            }
          }
        },
        {
          "name": "List group roles \u2014 GET /v1/tenants/{tenantID}/groups/{groupID}/roles",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/groups/{{groupId}}/roles",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "groups",
                "{{groupId}}",
                "roles"
              ]
            }
          }
        },
        {
          "name": "Grant role to group \u2014 POST .../groups/{groupID}/roles/{roleID}",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/groups/{{groupId}}/roles/{{roleId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "groups",
                "{{groupId}}",
                "roles",
                "{{roleId}}"
              ]
            }
          }
        },
        {
          "name": "Revoke role from group \u2014 DELETE .../groups/{groupID}/roles/{roleID}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/groups/{{groupId}}/roles/{{roleId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "groups",
                "{{groupId}}",
                "roles",
                "{{roleId}}"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Invites",
      "item": [
        {
          "name": "Create invite \u2014 POST /v1/invites",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.id) pm.collectionVariables.set('inviteId', body.id);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"email\": \"newuser+{{$timestamp}}@example.com\",\n  \"role_id\": \"{{roleId}}\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/invites",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "invites"
              ]
            }
          }
        },
        {
          "name": "List invites \u2014 GET /v1/tenants/{tenantID}/invites",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/invites",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "invites"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('inviteId', arr[0].id);",
                  "      console.log('captured inviteId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Revoke invite \u2014 DELETE /v1/invites/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/invites/{{inviteId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "invites",
                "{{inviteId}}"
              ]
            }
          }
        },
        {
          "name": "Accept invite (public) \u2014 POST /v1/invites/accept",
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"token\": \"REPLACE_WITH_INVITE_TOKEN\",\n  \"password\": \"Password123!\",\n  \"display_name\": \"New User\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/invites/accept",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "invites",
                "accept"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "MFA (TOTP)",
      "item": [
        {
          "name": "Start TOTP enrollment \u2014 POST /v1/mfa/totp/enroll/start",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"account\": \"alice@example.com\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/totp/enroll/start",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "totp",
                "enroll",
                "start"
              ]
            }
          }
        },
        {
          "name": "Confirm TOTP enrollment \u2014 POST /v1/mfa/totp/enroll/confirm",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"code\": \"123456\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/totp/enroll/confirm",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "totp",
                "enroll",
                "confirm"
              ]
            }
          }
        },
        {
          "name": "Verify TOTP \u2014 POST /v1/mfa/totp/verify",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"code\": \"123456\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/totp/verify",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "totp",
                "verify"
              ]
            }
          }
        },
        {
          "name": "Disable TOTP \u2014 DELETE /v1/mfa/totp",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/totp",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "totp"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "MFA (OTP, Recovery, WebAuthn, Step-up)",
      "item": [
        {
          "name": "List OTP factors \u2014 GET /v1/mfa/otp/factors",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/otp/factors",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "otp",
                "factors"
              ]
            }
          }
        },
        {
          "name": "Add OTP factor \u2014 POST /v1/mfa/otp/factors",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/otp/factors",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "otp",
                "factors"
              ]
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"channel\": \"email\",\n  \"destination\": \"owner@acme.test\"\n}"
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('Status 201', () => pm.response.to.have.status(201));",
                  "const b = pm.response.json();",
                  "if (b.factor_id) pm.collectionVariables.set('otpFactorId', b.factor_id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Confirm OTP factor \u2014 POST /v1/mfa/otp/factors/{id}/confirm",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/otp/factors/{{otpFactorId}}/confirm",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "otp",
                "factors",
                "{{otpFactorId}}",
                "confirm"
              ]
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"code\": \"<code-from-backend-log>\"\n}"
            }
          }
        },
        {
          "name": "Challenge OTP factor \u2014 POST /v1/mfa/otp/factors/{id}/challenge",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/otp/factors/{{otpFactorId}}/challenge",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "otp",
                "factors",
                "{{otpFactorId}}",
                "challenge"
              ]
            }
          }
        },
        {
          "name": "Verify OTP \u2014 POST /v1/mfa/otp/verify",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/otp/verify",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "otp",
                "verify"
              ]
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"code\": \"<code-from-backend-log>\"\n}"
            }
          }
        },
        {
          "name": "Delete OTP factor \u2014 DELETE /v1/mfa/otp/factors/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/otp/factors/{{otpFactorId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "otp",
                "factors",
                "{{otpFactorId}}"
              ]
            }
          }
        },
        {
          "name": "Recovery codes status \u2014 GET /v1/mfa/recovery-codes",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/recovery-codes",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "recovery-codes"
              ]
            }
          }
        },
        {
          "name": "Regenerate recovery codes (step-up) \u2014 POST /v1/mfa/recovery-codes/regenerate",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/recovery-codes/regenerate",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "recovery-codes",
                "regenerate"
              ]
            }
          }
        },
        {
          "name": "WebAuthn 2FA challenge \u2014 POST /v1/mfa/webauthn/challenge",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/webauthn/challenge",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "webauthn",
                "challenge"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('Status 200', () => pm.response.to.have.status(200));",
                  "const b = pm.response.json();",
                  "if (b.session_id) pm.collectionVariables.set('mfaWebauthnSession', b.session_id);"
                ]
              }
            }
          ]
        },
        {
          "name": "WebAuthn 2FA verify \u2014 POST /v1/mfa/webauthn/verify",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/webauthn/verify",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "webauthn",
                "verify"
              ]
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"session_id\": \"{{mfaWebauthnSession}}\",\n  \"credential\": { }\n}"
            }
          }
        },
        {
          "name": "Step-up status \u2014 GET /v1/mfa/step-up/status",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/mfa/step-up/status",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "mfa",
                "step-up",
                "status"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "API Keys",
      "item": [
        {
          "name": "Create API key \u2014 POST /v1/api-keys",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.id)  pm.collectionVariables.set('apiKeyId',  body.id);",
                  "if (body.raw) pm.collectionVariables.set('apiKeyRaw', body.raw);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"user_id\": \"{{userId}}\",\n  \"name\": \"CI deploy key {{$timestamp}}\",\n  \"scopes\": [\"user.read\", \"tenant.read\"]\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/api-keys",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "api-keys"
              ]
            }
          }
        },
        {
          "name": "List API keys \u2014 GET /v1/tenants/{tenantID}/api-keys",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/api-keys",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "api-keys"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('apiKeyId', arr[0].id);",
                  "      console.log('captured apiKeyId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Revoke API key \u2014 DELETE /v1/api-keys/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/api-keys/{{apiKeyId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "api-keys",
                "{{apiKeyId}}"
              ]
            }
          }
        },
        {
          "name": "Authed call with API key \u2014 GET /v1/users (ApiKey auth)",
          "request": {
            "auth": {
              "type": "apikey",
              "apikey": [
                {
                  "key": "key",
                  "value": "Authorization",
                  "type": "string"
                },
                {
                  "key": "value",
                  "value": "ApiKey {{apiKeyRaw}}",
                  "type": "string"
                },
                {
                  "key": "in",
                  "value": "header",
                  "type": "string"
                }
              ]
            },
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Service Principals (M2M)",
      "item": [
        {
          "name": "Create service principal \u2014 POST /v1/service-principals",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body) {",
                  "  if (body.client_id)     pm.collectionVariables.set('principalId',     body.client_id);",
                  "  else if (body.service_principal && body.service_principal.id)",
                  "                          pm.collectionVariables.set('principalId',     body.service_principal.id);",
                  "  if (body.client_secret) pm.collectionVariables.set('principalSecret', body.client_secret);",
                  "}"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"name\": \"build-bot-{{$timestamp}}\",\n  \"description\": \"CI/CD service account\",\n  \"scopes\": [\"user.read\", \"tenant.read\"]\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/service-principals",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "service-principals"
              ]
            }
          }
        },
        {
          "name": "List service principals \u2014 GET /v1/tenants/{tenantID}/service-principals",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/service-principals",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "service-principals"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('principalId', arr[0].id);",
                  "      console.log('captured principalId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Disable service principal \u2014 DELETE /v1/service-principals/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/service-principals/{{principalId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "service-principals",
                "{{principalId}}"
              ]
            }
          }
        },
        {
          "name": "OAuth token (client_credentials) \u2014 POST /v1/oauth/token",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.access_token) pm.collectionVariables.set('accessToken', body.access_token);"
                ]
              }
            }
          ],
          "request": {
            "auth": {
              "type": "noauth"
            },
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/x-www-form-urlencoded"
              }
            ],
            "body": {
              "mode": "urlencoded",
              "urlencoded": [
                {
                  "key": "grant_type",
                  "value": "client_credentials",
                  "type": "text"
                },
                {
                  "key": "client_id",
                  "value": "{{principalId}}",
                  "type": "text"
                },
                {
                  "key": "client_secret",
                  "value": "{{principalSecret}}",
                  "type": "text"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/token",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "token"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "OIDC (Authed)",
      "item": [
        {
          "name": "Register OIDC client \u2014 POST /v1/oidc/clients",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.client_id || (body.client && body.client.client_id)) pm.collectionVariables.set('oidcClientId', body.client_id || body.client.client_id);",
                  "if (body.client_secret) pm.collectionVariables.set('oidcClientSecret', body.client_secret);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"name\": \"My SPA {{$timestamp}}\",\n  \"type\": \"public\",\n  \"redirect_uris\": [\"http://localhost:3000/callback\"],\n  \"post_logout_uris\": [\"http://localhost:3000/\"],\n  \"grant_types\": [\"authorization_code\", \"refresh_token\"],\n  \"scopes\": [\"openid\", \"profile\", \"email\"]\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oidc/clients",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oidc",
                "clients"
              ]
            }
          }
        },
        {
          "name": "Authorize \u2014 GET /v1/oauth/authorize",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/authorize?response_type=code&client_id={{oidcClientId}}&redirect_uri=http://localhost:3000/callback&scope=openid%20profile%20email&state=xyz&code_challenge=REPLACE&code_challenge_method=S256",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "authorize"
              ],
              "query": [
                {
                  "key": "response_type",
                  "value": "code"
                },
                {
                  "key": "client_id",
                  "value": "{{oidcClientId}}"
                },
                {
                  "key": "redirect_uri",
                  "value": "http://localhost:3000/callback"
                },
                {
                  "key": "scope",
                  "value": "openid profile email"
                },
                {
                  "key": "state",
                  "value": "xyz"
                },
                {
                  "key": "code_challenge",
                  "value": "REPLACE"
                },
                {
                  "key": "code_challenge_method",
                  "value": "S256"
                }
              ]
            }
          }
        },
        {
          "name": "Token (authorization_code) \u2014 POST /v1/oauth/token-code",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/x-www-form-urlencoded"
              }
            ],
            "body": {
              "mode": "urlencoded",
              "urlencoded": [
                {
                  "key": "grant_type",
                  "value": "authorization_code",
                  "type": "text"
                },
                {
                  "key": "code",
                  "value": "REPLACE_WITH_AUTH_CODE",
                  "type": "text"
                },
                {
                  "key": "redirect_uri",
                  "value": "http://localhost:3000/callback",
                  "type": "text"
                },
                {
                  "key": "client_id",
                  "value": "{{oidcClientId}}",
                  "type": "text"
                },
                {
                  "key": "code_verifier",
                  "value": "REPLACE_WITH_PKCE_VERIFIER",
                  "type": "text"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/token-code",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "token-code"
              ]
            }
          }
        },
        {
          "name": "UserInfo \u2014 GET /v1/oauth/userinfo",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/userinfo",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "userinfo"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Passkeys (WebAuthn)",
      "item": [
        {
          "name": "List passkeys \u2014 GET /v1/passkeys",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/passkeys",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "passkeys"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('passkeyId', arr[0].id);",
                  "      console.log('captured passkeyId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Delete passkey \u2014 DELETE /v1/passkeys/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/passkeys/{{passkeyId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "passkeys",
                "{{passkeyId}}"
              ]
            }
          }
        },
        {
          "name": "Register begin \u2014 POST /v1/passkeys/register/begin",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/passkeys/register/begin",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "passkeys",
                "register",
                "begin"
              ]
            }
          }
        },
        {
          "name": "Register finish \u2014 POST /v1/passkeys/register/finish",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/passkeys/register/finish",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "passkeys",
                "register",
                "finish"
              ]
            }
          }
        },
        {
          "name": "Login begin \u2014 POST /v1/passkeys/login/begin",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/passkeys/login/begin",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "passkeys",
                "login",
                "begin"
              ]
            }
          }
        },
        {
          "name": "Login finish \u2014 POST /v1/passkeys/login/finish",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/passkeys/login/finish",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "passkeys",
                "login",
                "finish"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Social Login",
      "item": [
        {
          "name": "Upsert provider \u2014 POST /v1/social/providers",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"provider\": \"google\",\n  \"client_id\": \"GOOGLE_CLIENT_ID\",\n  \"client_secret\": \"GOOGLE_CLIENT_SECRET\",\n  \"discovery_url\": \"https://accounts.google.com/.well-known/openid-configuration\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/social/providers",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "social",
                "providers"
              ]
            }
          }
        },
        {
          "name": "List providers \u2014 GET /v1/tenants/{tenantID}/social/providers",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/social/providers",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "social",
                "providers"
              ]
            }
          }
        },
        {
          "name": "List linked identities \u2014 GET /v1/users/{userID}/social/identities",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/social/identities",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "social",
                "identities"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('socialIdentityId', arr[0].id);",
                  "      console.log('captured socialIdentityId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Unlink identity \u2014 DELETE /v1/social/identities/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/social/identities/{{socialIdentityId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "social",
                "identities",
                "{{socialIdentityId}}"
              ]
            }
          }
        },
        {
          "name": "OAuth start \u2014 GET /v1/social/{provider}/start",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/social/google/start",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "social",
                "google",
                "start"
              ]
            }
          }
        },
        {
          "name": "OAuth callback \u2014 GET /v1/social/{provider}/callback",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/social/google/callback",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "social",
                "google",
                "callback"
              ]
            }
          }
        },
        {
          "name": "Exchange social code \u2014 POST /v1/social/exchange",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"provider\": \"google\",\n  \"code\": \"<oauth-authorization-code>\",\n  \"redirect_uri\": \"http://localhost:3000/callback\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/social/exchange",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "social",
                "exchange"
              ]
            },
            "description": "Exchange a social provider's authorization code for a qeet-id token pair."
          }
        }
      ]
    },
    {
      "name": "Webhooks",
      "item": [
        {
          "name": "Create webhook \u2014 POST /v1/webhooks",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.id) pm.collectionVariables.set('webhookId', body.id);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"url\": \"https://example.com/webhook/{{$timestamp}}\",\n  \"events\": [\"user.created\", \"user.updated\", \"tenant.created\"]\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/webhooks",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "webhooks"
              ]
            }
          }
        },
        {
          "name": "List webhooks \u2014 GET /v1/tenants/{tenantID}/webhooks",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/webhooks",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "webhooks"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('webhookId', arr[0].id);",
                  "      console.log('captured webhookId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Disable webhook \u2014 DELETE /v1/webhooks/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/webhooks/{{webhookId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "webhooks",
                "{{webhookId}}"
              ]
            }
          }
        },
        {
          "name": "Test webhook \u2014 POST /v1/webhooks/{id}/test",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/webhooks/{{webhookId}}/test",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "webhooks",
                "{{webhookId}}",
                "test"
              ]
            }
          }
        },
        {
          "name": "Get webhook \u2014 GET /v1/webhooks/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/webhooks/{{webhookId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "webhooks",
                "{{webhookId}}"
              ]
            }
          }
        },
        {
          "name": "List deliveries \u2014 GET /v1/webhooks/{id}/deliveries",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/webhooks/{{webhookId}}/deliveries",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "webhooks",
                "{{webhookId}}",
                "deliveries"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const r = pm.response.json();",
                  "const arr = r.items || r.Resources || r;",
                  "if (Array.isArray(arr) && arr.length && arr[0].id !== undefined) pm.collectionVariables.set('deliveryId', arr[0].id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Retry delivery \u2014 POST /v1/webhooks/{id}/deliveries/{deliveryID}/retry",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/webhooks/{{webhookId}}/deliveries/{{deliveryId}}/retry",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "webhooks",
                "{{webhookId}}",
                "deliveries",
                "{{deliveryId}}",
                "retry"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Branding",
      "item": [
        {
          "name": "Get branding \u2014 GET /v1/tenants/{tenantID}/branding",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/branding",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "branding"
              ]
            }
          }
        },
        {
          "name": "Update branding \u2014 PUT /v1/tenants/{tenantID}/branding",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"logo_url\": \"https://cdn.example.com/logo.svg\",\n  \"primary_color\": \"#5b21b6\",\n  \"secondary_color\": \"#ffffff\",\n  \"custom_domain\": \"auth.acme.com\",\n  \"email_from_name\": \"Acme Auth\",\n  \"email_from_address\": \"noreply@acme.com\",\n  \"settings\": {}\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/branding",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "branding"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Policy",
      "item": [
        {
          "name": "Get policy \u2014 GET /v1/tenants/{tenantID}/policy",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/policy",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "policy"
              ]
            }
          }
        },
        {
          "name": "Update policy \u2014 PUT /v1/tenants/{tenantID}/policy",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"ip_allowlist\": [\"10.0.0.0/8\"],\n  \"ip_denylist\": [],\n  \"password_min_length\": 12,\n  \"password_complexity\": \"standard\",\n  \"session_max_age\": \"720h\",\n  \"mfa_enforcement\": \"optional\",\n  \"settings\": {}\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/policy",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "policy"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Audit",
      "item": [
        {
          "name": "List audit events \u2014 GET /v1/tenants/{tenantID}/audit",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/audit?limit=50",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "audit"
              ],
              "query": [
                {
                  "key": "limit",
                  "value": "50"
                },
                {
                  "key": "cursor",
                  "value": "",
                  "disabled": true
                },
                {
                  "key": "action",
                  "value": "",
                  "disabled": true
                },
                {
                  "key": "resource_type",
                  "value": "",
                  "disabled": true
                },
                {
                  "key": "actor_user_id",
                  "value": "",
                  "disabled": true
                }
              ]
            }
          }
        },
        {
          "name": "Verify audit chain \u2014 GET /v1/tenants/{tenantID}/audit/verify",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/audit/verify",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "audit",
                "verify"
              ]
            },
            "description": "Verifies the tamper-evident hash chain across audit events for the tenant. Returns ok=true plus the verified range; ok=false with break_at when a tampered row is detected."
          }
        }
      ]
    },
    {
      "name": "Analytics",
      "item": [
        {
          "name": "Tenant analytics overview \u2014 GET /v1/tenants/{tenantID}/analytics/overview",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/analytics/overview",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "analytics",
                "overview"
              ]
            },
            "description": "Returns rollup metrics for the admin dashboard: total users, MAU, signups vs prior period, signins, failure rates, weekly activity (last 8 weeks)."
          }
        }
      ]
    },
    {
      "name": "Admin / Outbox",
      "item": [
        {
          "name": "List DLQ events \u2014 GET /v1/admin/outbox/dlq",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/admin/outbox/dlq?limit=50",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "admin",
                "outbox",
                "dlq"
              ],
              "query": [
                {
                  "key": "limit",
                  "value": "50"
                }
              ]
            },
            "description": "Inspects dead-lettered outbox events for ops triage. Requires platform-admin gating in the deployment."
          }
        }
      ]
    },
    {
      "name": "GDPR",
      "item": [
        {
          "name": "Create purge request \u2014 POST /v1/gdpr/purge",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.id) pm.collectionVariables.set('gdprRequestId', body.id);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"user_id\": \"{{userId}}\",\n  \"reason\": \"User requested account deletion via support\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/gdpr/purge",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "gdpr",
                "purge"
              ]
            }
          }
        },
        {
          "name": "List purge requests \u2014 GET /v1/tenants/{tenantID}/gdpr/purge",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/gdpr/purge",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "gdpr",
                "purge"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('gdprRequestId', arr[0].id);",
                  "      console.log('captured gdprRequestId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Cancel purge request \u2014 DELETE /v1/gdpr/purge/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/gdpr/purge/{{gdprRequestId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "gdpr",
                "purge",
                "{{gdprRequestId}}"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Groups",
      "item": [
        {
          "name": "Create group \u2014 POST /v1/groups",
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const body = pm.response.json();",
                  "if (body.id) pm.collectionVariables.set('groupId', body.id);"
                ]
              }
            }
          ],
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"parent_id\": null,\n  \"name\": \"Engineering-{{$timestamp}}\",\n  \"description\": \"Engineering organisation\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/groups",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "groups"
              ]
            }
          }
        },
        {
          "name": "List groups \u2014 GET /v1/tenants/{tenantID}/groups",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/groups",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "groups"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "if (pm.response && pm.response.code === 200) {",
                  "  try {",
                  "    const body = pm.response.json();",
                  "    const arr = body && body.items;",
                  "    if (Array.isArray(arr) && arr.length > 0 && arr[0].id) {",
                  "      pm.collectionVariables.set('groupId', arr[0].id);",
                  "      console.log('captured groupId =', arr[0].id);",
                  "    }",
                  "  } catch (e) {}",
                  "}"
                ]
              }
            }
          ]
        },
        {
          "name": "Delete group \u2014 DELETE /v1/groups/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/groups/{{groupId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "groups",
                "{{groupId}}"
              ]
            }
          }
        },
        {
          "name": "Add member \u2014 POST /v1/groups/{id}/members/{userID}",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/groups/{{groupId}}/members/{{userId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "groups",
                "{{groupId}}",
                "members",
                "{{userId}}"
              ]
            }
          }
        },
        {
          "name": "Remove member \u2014 DELETE /v1/groups/{id}/members/{userID}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/groups/{{groupId}}/members/{{userId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "groups",
                "{{groupId}}",
                "members",
                "{{userId}}"
              ]
            }
          }
        },
        {
          "name": "List members \u2014 GET /v1/groups/{id}/members",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/groups/{{groupId}}/members",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "groups",
                "{{groupId}}",
                "members"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "SCIM 2.0",
      "item": [
        {
          "name": "Get SCIM config \u2014 GET /v1/tenants/{tenantID}/scim",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/scim",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "scim"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Rotate SCIM token \u2014 POST /v1/tenants/{tenantID}/scim/token",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/scim/token",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "scim",
                "token"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));",
                  "const b = pm.response.json();",
                  "if (b.token) pm.collectionVariables.set('scimToken', b.token);"
                ]
              }
            }
          ]
        },
        {
          "name": "List provisioned users \u2014 GET /v1/tenants/{tenantID}/scim/users",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/scim/users",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "scim",
                "users"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "[scim] ServiceProviderConfig \u2014 GET /scim/v2/ServiceProviderConfig",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/ServiceProviderConfig",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "ServiceProviderConfig"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "[scim] Create user \u2014 POST /scim/v2/Users",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"schemas\": [\n    \"urn:ietf:params:scim:schemas:core:2.0:User\"\n  ],\n  \"userName\": \"scim.user@example.com\",\n  \"displayName\": \"SCIM User\",\n  \"active\": true\n}"
            },
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Users",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Users"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));",
                  "// chain: remember the created SCIM user id",
                  "try { const b = pm.response.json(); if (b.id) pm.collectionVariables.set('scimUserId', b.id); } catch (e) {}"
                ]
              }
            }
          ]
        },
        {
          "name": "[scim] List users \u2014 GET /scim/v2/Users",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Users",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Users"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));",
                  "try { const r = pm.response.json(); const a = r.Resources || []; if (a.length) pm.collectionVariables.set('scimUserId', a[0].id); } catch (e) {}"
                ]
              }
            }
          ]
        },
        {
          "name": "Revoke SCIM token \u2014 DELETE /v1/tenants/{tenantID}/scim/token",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/scim/token",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "scim",
                "token"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "[scim] ResourceTypes \u2014 GET /scim/v2/ResourceTypes",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/ResourceTypes",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "ResourceTypes"
              ]
            }
          }
        },
        {
          "name": "[scim] Schemas \u2014 GET /scim/v2/Schemas",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Schemas",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Schemas"
              ]
            }
          }
        },
        {
          "name": "[scim] Get user \u2014 GET /scim/v2/Users/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Users/{{scimUserId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Users",
                "{{scimUserId}}"
              ]
            }
          }
        },
        {
          "name": "[scim] Replace user \u2014 PUT /scim/v2/Users/{id}",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/scim+json"
              }
            ],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"schemas\": [\n    \"urn:ietf:params:scim:schemas:core:2.0:User\"\n  ],\n  \"userName\": \"alice+{{$timestamp}}@example.com\",\n  \"displayName\": \"Alice Adams\",\n  \"active\": true,\n  \"name\": {\n    \"givenName\": \"Alice\",\n    \"familyName\": \"Adams\"\n  },\n  \"emails\": [\n    {\n      \"value\": \"alice+{{$timestamp}}@example.com\",\n      \"primary\": true\n    }\n  ]\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Users/{{scimUserId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Users",
                "{{scimUserId}}"
              ]
            }
          }
        },
        {
          "name": "[scim] Patch user (deprovision) \u2014 PATCH /scim/v2/Users/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/scim+json"
              }
            ],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"schemas\": [\n    \"urn:ietf:params:scim:api:messages:2.0:PatchOp\"\n  ],\n  \"Operations\": [\n    {\n      \"op\": \"replace\",\n      \"path\": \"active\",\n      \"value\": false\n    }\n  ]\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Users/{{scimUserId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Users",
                "{{scimUserId}}"
              ]
            }
          }
        },
        {
          "name": "[scim] Delete user \u2014 DELETE /scim/v2/Users/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Users/{{scimUserId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Users",
                "{{scimUserId}}"
              ]
            }
          }
        },
        {
          "name": "[scim] List groups \u2014 GET /scim/v2/Groups",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Groups",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Groups"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "try { const r = pm.response.json(); const a = r.Resources || []; if (a.length) pm.collectionVariables.set('scimGroupId', a[0].id); } catch (e) {}"
                ]
              }
            }
          ]
        },
        {
          "name": "[scim] Create group \u2014 POST /scim/v2/Groups",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/scim+json"
              }
            ],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"schemas\": [\n    \"urn:ietf:params:scim:schemas:core:2.0:Group\"\n  ],\n  \"displayName\": \"Engineering {{$timestamp}}\",\n  \"members\": []\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Groups",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Groups"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.id !== undefined) pm.collectionVariables.set('scimGroupId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "[scim] Get group \u2014 GET /scim/v2/Groups/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Groups/{{scimGroupId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Groups",
                "{{scimGroupId}}"
              ]
            }
          }
        },
        {
          "name": "[scim] Replace group \u2014 PUT /scim/v2/Groups/{id}",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/scim+json"
              }
            ],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"schemas\": [\n    \"urn:ietf:params:scim:schemas:core:2.0:Group\"\n  ],\n  \"displayName\": \"Engineering {{$timestamp}}\",\n  \"members\": []\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Groups/{{scimGroupId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Groups",
                "{{scimGroupId}}"
              ]
            }
          }
        },
        {
          "name": "[scim] Patch group \u2014 PATCH /scim/v2/Groups/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/scim+json"
              }
            ],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"schemas\": [\n    \"urn:ietf:params:scim:api:messages:2.0:PatchOp\"\n  ],\n  \"Operations\": [\n    {\n      \"op\": \"replace\",\n      \"path\": \"displayName\",\n      \"value\": \"Engineering Renamed\"\n    }\n  ]\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Groups/{{scimGroupId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Groups",
                "{{scimGroupId}}"
              ]
            }
          }
        },
        {
          "name": "[scim] Delete group \u2014 DELETE /scim/v2/Groups/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{scimToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/scim/v2/Groups/{{scimGroupId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "scim",
                "v2",
                "Groups",
                "{{scimGroupId}}"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "SAML 2.0 SSO",
      "item": [
        {
          "name": "Create connection \u2014 POST /v1/tenants/{tenantID}/saml",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"name\": \"Acme Okta\",\n  \"idp_entity_id\": \"https://idp.example.com/entity\",\n  \"idp_sso_url\": \"https://idp.example.com/sso\",\n  \"idp_certificate\": \"{{samlIdpCert}}\",\n  \"email_attribute\": \"email\",\n  \"name_attribute\": \"displayName\",\n  \"status\": \"active\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));",
                  "const b = pm.response.json();",
                  "if (b.id) pm.collectionVariables.set('samlConnId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "List connections \u2014 GET /v1/tenants/{tenantID}/saml",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Get connection \u2014 GET /v1/tenants/{tenantID}/saml/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml/{{samlConnId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml",
                "{{samlConnId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Update connection \u2014 PATCH /v1/tenants/{tenantID}/saml/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"status\": \"disabled\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml/{{samlConnId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml",
                "{{samlConnId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "SP metadata (public) \u2014 GET /saml/metadata/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/saml/metadata/{{samlConnId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "saml",
                "metadata",
                "{{samlConnId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        },
        {
          "name": "Login redirect (public) \u2014 GET /saml/login/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/saml/login/{{samlConnId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "saml",
                "login",
                "{{samlConnId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        },
        {
          "name": "Exchange code (public) \u2014 POST /saml/exchange",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"code\": \"{{samlCode}}\"\n}"
            },
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/saml/exchange",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "saml",
                "exchange"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        },
        {
          "name": "Delete connection \u2014 DELETE /v1/tenants/{tenantID}/saml/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml/{{samlConnId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml",
                "{{samlConnId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Test SAML connection \u2014 POST /v1/tenants/{tenantID}/saml/{id}/test",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml/{{samlConnId}}/test",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml",
                "{{samlConnId}}",
                "test"
              ]
            },
            "description": "Preflight-validate an inbound SAML IdP connection before rollout."
          }
        },
        {
          "name": "List SAML SPs (IdP side) \u2014 GET /v1/tenants/{tenantID}/saml-providers",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml-providers",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml-providers"
              ]
            }
          }
        },
        {
          "name": "Register SAML SP (IdP side) \u2014 POST /v1/tenants/{tenantID}/saml-providers",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"name\": \"Downstream SP {{$timestamp}}\",\n  \"entity_id\": \"https://sp.example.com/saml/metadata\",\n  \"acs_url\": \"https://sp.example.com/saml/acs\",\n  \"name_id_format\": \"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\n  \"name_id_attribute\": \"email\",\n  \"certificate\": \"\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml-providers",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml-providers"
              ]
            },
            "description": "Register a downstream service provider that trusts Qeet as its SAML IdP."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.id !== undefined) pm.collectionVariables.set('samlSpId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Get SAML SP \u2014 GET /v1/tenants/{tenantID}/saml-providers/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml-providers/{{samlSpId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml-providers",
                "{{samlSpId}}"
              ]
            }
          }
        },
        {
          "name": "Update SAML SP \u2014 PATCH /v1/tenants/{tenantID}/saml-providers/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"name\": \"Downstream SP {{$timestamp}}\",\n  \"entity_id\": \"https://sp.example.com/saml/metadata\",\n  \"acs_url\": \"https://sp.example.com/saml/acs\",\n  \"name_id_format\": \"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress\",\n  \"name_id_attribute\": \"email\",\n  \"certificate\": \"\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml-providers/{{samlSpId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml-providers",
                "{{samlSpId}}"
              ]
            }
          }
        },
        {
          "name": "Delete SAML SP \u2014 DELETE /v1/tenants/{tenantID}/saml-providers/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/saml-providers/{{samlSpId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "saml-providers",
                "{{samlSpId}}"
              ]
            }
          }
        },
        {
          "name": "[acs] Assertion Consumer Service \u2014 POST /saml/acs/{id}",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/x-www-form-urlencoded"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "urlencoded",
              "urlencoded": [
                {
                  "key": "SAMLResponse",
                  "value": "<base64-saml-response>",
                  "type": "text"
                },
                {
                  "key": "RelayState",
                  "value": "",
                  "type": "text"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/saml/acs/{{samlConnId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "saml",
                "acs",
                "{{samlConnId}}"
              ]
            },
            "description": "SP-side ACS (CSRF-exempt, signature-validated). The IdP POSTs the assertion here."
          }
        },
        {
          "name": "[idp] IdP metadata \u2014 GET /saml/idp/metadata",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/saml/idp/metadata",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "saml",
                "idp",
                "metadata"
              ]
            },
            "description": "Qeet-as-IdP metadata XML (public)."
          }
        },
        {
          "name": "[idp] IdP SSO (redirect binding) \u2014 GET /saml/idp/sso",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/saml/idp/sso?SAMLRequest=<deflated-base64>&RelayState=",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "saml",
                "idp",
                "sso"
              ],
              "query": [
                {
                  "key": "SAMLRequest",
                  "value": "<deflated-base64>"
                },
                {
                  "key": "RelayState",
                  "value": ""
                }
              ]
            }
          }
        },
        {
          "name": "[idp] IdP SSO (POST binding) \u2014 POST /saml/idp/sso",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/x-www-form-urlencoded"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "urlencoded",
              "urlencoded": [
                {
                  "key": "SAMLRequest",
                  "value": "<base64-saml-request>",
                  "type": "text"
                },
                {
                  "key": "RelayState",
                  "value": "",
                  "type": "text"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/saml/idp/sso",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "saml",
                "idp",
                "sso"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "LDAP / Active Directory",
      "item": [
        {
          "name": "Create connection \u2014 POST /v1/tenants/{tenantID}/ldap",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"name\": \"Corp AD\",\n  \"server_url\": \"ldaps://ldap.corp.example.com:636\",\n  \"bind_dn\": \"cn=qeetid-svc,ou=ServiceAccounts,dc=corp,dc=example,dc=com\",\n  \"bind_password\": \"service-account-password\",\n  \"base_dn\": \"ou=People,dc=corp,dc=example,dc=com\",\n  \"user_filter\": \"(uid=%s)\",\n  \"email_attribute\": \"mail\",\n  \"name_attribute\": \"cn\",\n  \"status\": \"active\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ldap",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ldap"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));",
                  "const b = pm.response.json();",
                  "if (b.id) pm.collectionVariables.set('ldapConnId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "List connections \u2014 GET /v1/tenants/{tenantID}/ldap",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ldap",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ldap"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Get connection \u2014 GET /v1/tenants/{tenantID}/ldap/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ldap/{{ldapConnId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ldap",
                "{{ldapConnId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Update connection \u2014 PATCH /v1/tenants/{tenantID}/ldap/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"status\": \"active\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ldap/{{ldapConnId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ldap",
                "{{ldapConnId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Test bind \u2014 POST /v1/tenants/{tenantID}/ldap/{id}/test",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ldap/{{ldapConnId}}/test",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ldap",
                "{{ldapConnId}}",
                "test"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        },
        {
          "name": "Authenticate (public) \u2014 POST /ldap/{id}/authenticate",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"username\": \"alice\",\n  \"password\": \"Passw0rd!\"\n}"
            },
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/ldap/{{ldapConnId}}/authenticate",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "ldap",
                "{{ldapConnId}}",
                "authenticate"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        },
        {
          "name": "Delete connection \u2014 DELETE /v1/tenants/{tenantID}/ldap/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ldap/{{ldapConnId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ldap",
                "{{ldapConnId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        }
      ]
    },
    {
      "name": "Auth Policy",
      "item": [
        {
          "name": "Get auth policy \u2014 GET /v1/tenants/{tenantID}/auth-policy",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/auth-policy",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "auth-policy"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Update auth policy \u2014 PUT /v1/tenants/{tenantID}/auth-policy",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"password_enabled\": true,\n  \"password_min_length\": 12,\n  \"password_require_uppercase\": true,\n  \"password_require_number\": true,\n  \"password_require_symbol\": false,\n  \"magic_link_enabled\": true,\n  \"magic_link_ttl_minutes\": 30,\n  \"passkey_enabled\": true,\n  \"otp_email_enabled\": false,\n  \"otp_sms_enabled\": false\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/auth-policy",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "auth-policy"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        }
      ]
    },
    {
      "name": "IP Allow/Deny Rules",
      "item": [
        {
          "name": "List rules + enforcement \u2014 GET /v1/tenants/{tenantID}/ip-rules",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ip-rules",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ip-rules"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Set enforcement \u2014 PUT /v1/tenants/{tenantID}/ip-rules/config",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"enabled\": true\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ip-rules/config",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ip-rules",
                "config"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Add rule \u2014 POST /v1/tenants/{tenantID}/ip-rules",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"cidr\": \"203.0.113.0/24\",\n  \"label\": \"Office NYC\",\n  \"action\": \"allow\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ip-rules",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ip-rules"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));",
                  "const b = pm.response.json();",
                  "if (b.id) pm.collectionVariables.set('ipRuleId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Check an address \u2014 POST /v1/tenants/{tenantID}/ip-rules/check",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"ip\": \"203.0.113.5\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ip-rules/check",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ip-rules",
                "check"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Delete rule \u2014 DELETE /v1/tenants/{tenantID}/ip-rules/{ruleID}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/ip-rules/{{ipRuleId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "ip-rules",
                "{{ipRuleId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        }
      ]
    },
    {
      "name": "Email Templates",
      "item": [
        {
          "name": "List templates \u2014 GET /v1/tenants/{tenantID}/email-templates",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/email-templates",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "email-templates"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Get template \u2014 GET /v1/tenants/{tenantID}/email-templates/{key}",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/email-templates/{{emailTemplateKey}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "email-templates",
                "{{emailTemplateKey}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Override template \u2014 PUT /v1/tenants/{tenantID}/email-templates/{key}",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"subject\": \"Verify your email\",\n  \"body\": \"Use code 123456 to verify. It expires in 10 minutes.\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/email-templates/{{emailTemplateKey}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "email-templates",
                "{{emailTemplateKey}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Preview template \u2014 POST /v1/tenants/{tenantID}/email-templates/{key}/preview",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"vars\": {\n    \"code\": \"482913\",\n    \"ttl\": \"10m\"\n  }\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/email-templates/{{emailTemplateKey}}/preview",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "email-templates",
                "{{emailTemplateKey}}",
                "preview"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Reset to default \u2014 DELETE /v1/tenants/{tenantID}/email-templates/{key}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/email-templates/{{emailTemplateKey}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "email-templates",
                "{{emailTemplateKey}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        }
      ]
    },
    {
      "name": "Secrets Vault",
      "item": [
        {
          "name": "List secrets \u2014 GET /v1/tenants/{tenantID}/secrets",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/secrets",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "secrets"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Create secret \u2014 POST /v1/tenants/{tenantID}/secrets",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"name\": \"stripe.api_key\",\n  \"scope\": \"billing\",\n  \"value\": \"sk_live_example_0123456789\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/secrets",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "secrets"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));",
                  "const b = pm.response.json();",
                  "if (b.id) pm.collectionVariables.set('secretId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Reveal secret \u2014 POST /v1/tenants/{tenantID}/secrets/{id}/reveal",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/secrets/{{secretId}}/reveal",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "secrets",
                "{{secretId}}",
                "reveal"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Rotate secret \u2014 PATCH /v1/tenants/{tenantID}/secrets/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"value\": \"sk_live_rotated_9876543210\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/secrets/{{secretId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "secrets",
                "{{secretId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Delete secret \u2014 DELETE /v1/tenants/{tenantID}/secrets/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/secrets/{{secretId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "secrets",
                "{{secretId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        },
        {
          "name": "Vault read by name \u2014 GET /v1/vault/{name}",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "bearer",
              "bearer": [
                {
                  "key": "token",
                  "value": "{{agentAccessToken}}",
                  "type": "string"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/v1/vault/{{secretName}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "vault",
                "{{secretName}}"
              ]
            },
            "description": "Token vaulting: fetch a secret by name with a scoped principal (e.g. an AI agent). Requires scope vault:<name> or vault:read \u2014 uses {{agentAccessToken}}. Set {{secretName}} to a secret created in this folder."
          }
        }
      ]
    },
    {
      "name": "Data Retention",
      "item": [
        {
          "name": "Get retention policy \u2014 GET /v1/tenants/{tenantID}/retention",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/retention",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "retention"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Update retention policy \u2014 PUT /v1/tenants/{tenantID}/retention",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"deleted_users_enabled\": false,\n  \"deleted_users_days\": 30\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/retention",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "retention"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Preview ripe users \u2014 POST /v1/tenants/{tenantID}/retention/preview",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/retention/preview",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "retention",
                "preview"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Run purge now \u2014 POST /v1/tenants/{tenantID}/retention/run",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/retention/run",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "retention",
                "run"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        }
      ]
    },
    {
      "name": "Billing",
      "item": [
        {
          "name": "List plans \u2014 GET /v1/billing/plans",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/billing/plans",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "billing",
                "plans"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Get subscription \u2014 GET /v1/tenants/{tenantID}/billing/subscription",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/billing/subscription",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "billing",
                "subscription"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Subscribe / change plan \u2014 PUT /v1/tenants/{tenantID}/billing/subscription",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"plan_code\": \"pro\",\n  \"currency\": \"USD\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/billing/subscription",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "billing",
                "subscription"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "List invoices \u2014 GET /v1/tenants/{tenantID}/billing/invoices",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/billing/invoices",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "billing",
                "invoices"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Cancel at period end \u2014 POST /v1/tenants/{tenantID}/billing/subscription/cancel",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/billing/subscription/cancel",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "billing",
                "subscription",
                "cancel"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Start checkout \u2014 POST /v1/tenants/{tenantID}/billing/checkout",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"plan_code\": \"pro\",\n  \"currency\": \"USD\",\n  \"success_url\": \"http://localhost:3000/billing/success\",\n  \"cancel_url\": \"http://localhost:3000/billing/cancel\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/billing/checkout",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "billing",
                "checkout"
              ]
            },
            "description": "Begin a paid plan change via hosted Stripe/Razorpay checkout. Requires the provider env keys to be configured server-side."
          }
        },
        {
          "name": "Payment webhook \u2014 POST /v1/billing/webhooks/stripe",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"id\": \"evt_test\",\n  \"type\": \"checkout.session.completed\",\n  \"data\": {\n    \"object\": {}\n  }\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/billing/webhooks/stripe",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "billing",
                "webhooks",
                "stripe"
              ]
            },
            "description": "Provider webhook (path is the provider: stripe | razorpay). Signature-verified server-side \u2014 Postman calls will be rejected without a valid provider signature."
          }
        }
      ]
    },
    {
      "name": "OAuth Grants",
      "item": [
        {
          "name": "List active grants \u2014 GET /v1/tenants/{tenantID}/oauth/grants",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oauth/grants",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oauth",
                "grants"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Revoke grant \u2014 DELETE /v1/tenants/{tenantID}/oauth/grants/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oauth/grants/{{grantId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oauth",
                "grants",
                "{{grantId}}"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        }
      ]
    },
    {
      "name": "Users \u2014 Recycle Bin",
      "item": [
        {
          "name": "List deleted users \u2014 GET /v1/users/deleted",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/deleted",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "deleted"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('2xx', () => pm.expect(pm.response.code).to.be.below(300));"
                ]
              }
            }
          ]
        },
        {
          "name": "Restore user \u2014 POST /v1/users/{id}/restore",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/restore",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "restore"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        },
        {
          "name": "Purge user \u2014 DELETE /v1/users/{id}/purge",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/users/{{userId}}/purge",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "users",
                "{{userId}}",
                "purge"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "pm.test('endpoint reachable', () => pm.expect(pm.response.code).to.be.below(500));"
                ]
              }
            }
          ]
        }
      ]
    },
    {
      "name": "OAuth 2.0 & OIDC Flows",
      "item": [
        {
          "name": "Login context \u2014 GET /v1/oauth/login-context",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/login-context?request_id={{authRequestId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "login-context"
              ],
              "query": [
                {
                  "key": "request_id",
                  "value": "{{authRequestId}}"
                }
              ]
            },
            "description": "Hosted-login UI context for an in-flight authorize request (client name, providers)."
          }
        },
        {
          "name": "Authorize decision (consent) \u2014 POST /v1/oauth/authorize/decision",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"request_id\": \"{{authRequestId}}\",\n  \"decision\": \"allow\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/authorize/decision",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "authorize",
                "decision"
              ]
            },
            "description": "Record the user's consent decision; returns the authorization code redirect."
          }
        },
        {
          "name": "Device authorization \u2014 POST /v1/oauth/device_authorization",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/x-www-form-urlencoded"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "urlencoded",
              "urlencoded": [
                {
                  "key": "client_id",
                  "value": "{{oidcClientId}}",
                  "type": "text"
                },
                {
                  "key": "client_secret",
                  "value": "{{oidcClientSecret}}",
                  "type": "text"
                },
                {
                  "key": "scope",
                  "value": "openid profile",
                  "type": "text"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/device_authorization",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "device_authorization"
              ]
            },
            "description": "RFC 8628 \u00a73.1 device flow initiation."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.device_code) pm.collectionVariables.set('deviceCode', b.device_code);",
                  "if (b.user_code) pm.collectionVariables.set('userCode', b.user_code);"
                ]
              }
            }
          ]
        },
        {
          "name": "Device verification context \u2014 GET /v1/oauth/device",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/device?user_code={{userCode}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "device"
              ],
              "query": [
                {
                  "key": "user_code",
                  "value": "{{userCode}}"
                }
              ]
            }
          }
        },
        {
          "name": "Device decision (approve) \u2014 POST /v1/oauth/device/decision",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"user_code\": \"{{userCode}}\",\n  \"approve\": true\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/device/decision",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "device",
                "decision"
              ]
            }
          }
        },
        {
          "name": "RP-initiated logout \u2014 GET /v1/oauth/logout",
          "request": {
            "method": "GET",
            "header": [],
            "auth": {
              "type": "noauth"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/logout?post_logout_redirect_uri=http://localhost:3000/",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "logout"
              ],
              "query": [
                {
                  "key": "post_logout_redirect_uri",
                  "value": "http://localhost:3000/"
                }
              ]
            }
          }
        },
        {
          "name": "RP-initiated logout \u2014 POST /v1/oauth/logout",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"id_token_hint\": \"\",\n  \"post_logout_redirect_uri\": \"http://localhost:3000/\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/logout",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "logout"
              ]
            }
          }
        },
        {
          "name": "Token revoke (RFC 7009) \u2014 POST /oauth/revoke",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/x-www-form-urlencoded"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "urlencoded",
              "urlencoded": [
                {
                  "key": "token",
                  "value": "{{refreshToken}}",
                  "type": "text"
                },
                {
                  "key": "token_type_hint",
                  "value": "refresh_token",
                  "type": "text"
                },
                {
                  "key": "client_id",
                  "value": "{{oidcClientId}}",
                  "type": "text"
                },
                {
                  "key": "client_secret",
                  "value": "{{oidcClientSecret}}",
                  "type": "text"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/oauth/revoke",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "oauth",
                "revoke"
              ]
            },
            "description": "Root-level (no /v1). Client-authenticated. Always returns 200 per the RFC."
          }
        },
        {
          "name": "Token introspect (RFC 7662) \u2014 POST /oauth/introspect",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/x-www-form-urlencoded"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "urlencoded",
              "urlencoded": [
                {
                  "key": "token",
                  "value": "{{accessToken}}",
                  "type": "text"
                },
                {
                  "key": "client_id",
                  "value": "{{oidcClientId}}",
                  "type": "text"
                },
                {
                  "key": "client_secret",
                  "value": "{{oidcClientSecret}}",
                  "type": "text"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/oauth/introspect",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "oauth",
                "introspect"
              ]
            },
            "description": "Root-level (no /v1). Client-authenticated. Returns {active, scope, actor_type, ...}."
          }
        },
        {
          "name": "Signing keys metadata \u2014 GET /v1/oidc/signing-keys",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/oidc/signing-keys",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oidc",
                "signing-keys"
              ]
            },
            "description": "Issuer signing-key metadata (no private key material)."
          }
        },
        {
          "name": "Token exchange (RFC 8693) \u2014 POST /v1/oauth/token-code",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/x-www-form-urlencoded"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "urlencoded",
              "urlencoded": [
                {
                  "key": "grant_type",
                  "value": "urn:ietf:params:oauth:grant-type:token-exchange",
                  "type": "text"
                },
                {
                  "key": "subject_token",
                  "value": "{{accessToken}}",
                  "type": "text"
                },
                {
                  "key": "subject_token_type",
                  "value": "urn:ietf:params:oauth:token-type:access_token",
                  "type": "text"
                },
                {
                  "key": "requested_token_type",
                  "value": "urn:ietf:params:oauth:token-type:access_token",
                  "type": "text"
                },
                {
                  "key": "scope",
                  "value": "user.read",
                  "type": "text"
                },
                {
                  "key": "actor_token",
                  "value": "{{agentAccessToken}}",
                  "type": "text"
                },
                {
                  "key": "actor_token_type",
                  "value": "urn:ietf:params:oauth:token-type:access_token",
                  "type": "text"
                },
                {
                  "key": "client_id",
                  "value": "{{oidcClientId}}",
                  "type": "text"
                },
                {
                  "key": "client_secret",
                  "value": "{{oidcClientSecret}}",
                  "type": "text"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/token-code",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "token-code"
              ]
            },
            "description": "RFC 8693 token exchange via the shared /v1/oauth/token-code endpoint. Downscope-only (never escalates). Drop actor_token for plain downscoping; include it for delegation (records an `act` claim). Requires the client to be permitted the token-exchange grant."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.access_token) pm.collectionVariables.set('exchangedToken', b.access_token);"
                ]
              }
            }
          ]
        },
        {
          "name": "Device token poll \u2014 POST /v1/oauth/token-code",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/x-www-form-urlencoded"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "urlencoded",
              "urlencoded": [
                {
                  "key": "grant_type",
                  "value": "urn:ietf:params:oauth:grant-type:device_code",
                  "type": "text"
                },
                {
                  "key": "device_code",
                  "value": "{{deviceCode}}",
                  "type": "text"
                },
                {
                  "key": "client_id",
                  "value": "{{oidcClientId}}",
                  "type": "text"
                }
              ]
            },
            "url": {
              "raw": "{{baseUrl}}/v1/oauth/token-code",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oauth",
                "token-code"
              ]
            },
            "description": "RFC 8628 \u00a73.4 device-code polling against the shared /v1/oauth/token-code endpoint. Poll after Device authorization + Device decision (approve)."
          }
        }
      ]
    },
    {
      "name": "OIDC Client Management",
      "item": [
        {
          "name": "List OIDC clients \u2014 GET /v1/tenants/{tenantID}/oidc/clients",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oidc/clients",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oidc",
                "clients"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const r = pm.response.json(); const a = r.items || [];",
                  "if (a.length) { pm.collectionVariables.set('oidcClientRowId', a[0].id);",
                  "  if (a[0].client_id) pm.collectionVariables.set('oidcClientId', a[0].client_id); }"
                ]
              }
            }
          ]
        },
        {
          "name": "Create OIDC client \u2014 POST /v1/tenants/{tenantID}/oidc/clients",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"tenant_id\": \"{{tenantId}}\",\n  \"name\": \"My SPA {{$timestamp}}\",\n  \"type\": \"confidential\",\n  \"redirect_uris\": [\n    \"http://localhost:3000/callback\"\n  ],\n  \"post_logout_uris\": [\n    \"http://localhost:3000/\"\n  ],\n  \"grant_types\": [\n    \"authorization_code\",\n    \"refresh_token\"\n  ],\n  \"scopes\": [\n    \"openid\",\n    \"profile\",\n    \"email\"\n  ]\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oidc/clients",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oidc",
                "clients"
              ]
            },
            "description": "Register a confidential OIDC client under the tenant. Returns the row id (used by PATCH/DELETE/rotate) plus the public client_id and one-time client_secret."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json(); const cl = b.client || b;",
                  "if (cl.id) pm.collectionVariables.set('oidcClientRowId', cl.id);",
                  "if (cl.client_id) pm.collectionVariables.set('oidcClientId', cl.client_id);",
                  "if (b.client_secret) pm.collectionVariables.set('oidcClientSecret', b.client_secret);"
                ]
              }
            }
          ]
        },
        {
          "name": "Get OIDC client \u2014 GET /v1/tenants/{tenantID}/oidc/clients/{id}",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oidc/clients/{{oidcClientRowId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oidc",
                "clients",
                "{{oidcClientRowId}}"
              ]
            }
          }
        },
        {
          "name": "Update OIDC client \u2014 PATCH /v1/tenants/{tenantID}/oidc/clients/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"name\": \"Renamed SPA\",\n  \"redirect_uris\": [\n    \"http://localhost:3000/callback\"\n  ],\n  \"scopes\": [\n    \"openid\",\n    \"profile\",\n    \"email\"\n  ]\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oidc/clients/{{oidcClientRowId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oidc",
                "clients",
                "{{oidcClientRowId}}"
              ]
            }
          }
        },
        {
          "name": "Rotate client secret \u2014 POST .../oidc/clients/{id}/rotate-secret",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oidc/clients/{{oidcClientRowId}}/rotate-secret",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oidc",
                "clients",
                "{{oidcClientRowId}}",
                "rotate-secret"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.client_secret) pm.collectionVariables.set('oidcClientSecret', b.client_secret);"
                ]
              }
            }
          ]
        },
        {
          "name": "Delete OIDC client \u2014 DELETE /v1/tenants/{tenantID}/oidc/clients/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oidc/clients/{{oidcClientRowId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oidc",
                "clients",
                "{{oidcClientRowId}}"
              ]
            }
          }
        },
        {
          "name": "Delete OIDC client (by scope) \u2014 DELETE /v1/oidc/clients/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/oidc/clients/{{oidcClientRowId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "oidc",
                "clients",
                "{{oidcClientRowId}}"
              ]
            },
            "description": "Tenant-scoped by the caller's token; takes the client row id."
          }
        },
        {
          "name": "List device authorizations \u2014 GET /v1/tenants/{tenantID}/oauth/devices",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oauth/devices",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oauth",
                "devices"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const r = pm.response.json();",
                  "const arr = r.items || r.Resources || r;",
                  "if (Array.isArray(arr) && arr.length && arr[0].id !== undefined) pm.collectionVariables.set('deviceAuthId', arr[0].id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Revoke device authorization \u2014 DELETE .../oauth/devices/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/oauth/devices/{{deviceAuthId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "oauth",
                "devices",
                "{{deviceAuthId}}"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "ReBAC (Relationships)",
      "item": [
        {
          "name": "List relation tuples \u2014 GET /v1/tenants/{tenantID}/relation-tuples",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/relation-tuples?object=document:readme",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "relation-tuples"
              ],
              "query": [
                {
                  "key": "object",
                  "value": "document:readme"
                }
              ]
            },
            "description": "Fine-grained authz tuples on an object. The 'object' query param is required."
          }
        },
        {
          "name": "Write relation tuple \u2014 POST /v1/tenants/{tenantID}/relation-tuples",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"object\": \"document:readme\",\n  \"relation\": \"owner\",\n  \"subject\": \"user:{{userId}}\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/relation-tuples",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "relation-tuples"
              ]
            },
            "description": "subject may be 'user:<id>' or a userset like 'team:eng#member'."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.id !== undefined) pm.collectionVariables.set('relationTupleId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Check relation \u2014 POST /v1/tenants/{tenantID}/relation-tuples/check",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"object\": \"document:readme\",\n  \"relation\": \"owner\",\n  \"user_id\": \"{{userId}}\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/relation-tuples/check",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "relation-tuples",
                "check"
              ]
            },
            "description": "Recursive userset check (with cycle guard). Returns {allowed: bool}."
          }
        },
        {
          "name": "Delete relation tuple \u2014 DELETE /v1/tenants/{tenantID}/relation-tuples/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/relation-tuples/{{relationTupleId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "relation-tuples",
                "{{relationTupleId}}"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Security & Threat Detection",
      "item": [
        {
          "name": "List anomalies \u2014 GET /v1/tenants/{tenantID}/security/anomalies",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/security/anomalies",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "security",
                "anomalies"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const r = pm.response.json();",
                  "const arr = r.items || r.Resources || r;",
                  "if (Array.isArray(arr) && arr.length && arr[0].id !== undefined) pm.collectionVariables.set('anomalyId', arr[0].id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Anomaly summary \u2014 GET /v1/tenants/{tenantID}/security/anomalies/summary",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/security/anomalies/summary",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "security",
                "anomalies",
                "summary"
              ]
            }
          }
        },
        {
          "name": "Resolve anomaly \u2014 POST .../security/anomalies/{id}/resolve",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/security/anomalies/{{anomalyId}}/resolve",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "security",
                "anomalies",
                "{{anomalyId}}",
                "resolve"
              ]
            }
          }
        },
        {
          "name": "Bot telemetry \u2014 GET /v1/tenants/{tenantID}/security/bots",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/security/bots",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "security",
                "bots"
              ]
            }
          }
        },
        {
          "name": "Get bot settings \u2014 GET /v1/tenants/{tenantID}/security/bots/settings",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/security/bots/settings",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "security",
                "bots",
                "settings"
              ]
            }
          }
        },
        {
          "name": "Update bot settings \u2014 PUT /v1/tenants/{tenantID}/security/bots/settings",
          "request": {
            "method": "PUT",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"ua_check\": true,\n  \"honeypot\": true,\n  \"captcha\": false,\n  \"signature\": true,\n  \"score_threshold\": 0.5\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/security/bots/settings",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "security",
                "bots",
                "settings"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "AI Agents",
      "item": [
        {
          "name": "List agents \u2014 GET /v1/tenants/{tenantID}/agents",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/agents",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "agents"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const r = pm.response.json();",
                  "const arr = r.items || r.Resources || r;",
                  "if (Array.isArray(arr) && arr.length && arr[0].id !== undefined) pm.collectionVariables.set('agentId', arr[0].id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Create agent \u2014 POST /v1/tenants/{tenantID}/agents",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"name\": \"ci-agent-{{$timestamp}}\",\n  \"scopes\": [\n    \"user.read\",\n    \"audit:read\"\n  ],\n  \"token_ttl_seconds\": 300\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/agents",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "agents"
              ]
            },
            "description": "Registers an AI-agent identity. The plaintext secret is returned ONCE on create."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.id) pm.collectionVariables.set('agentId', b.id);",
                  "if (b.secret) pm.collectionVariables.set('agentSecret', b.secret);"
                ]
              }
            }
          ]
        },
        {
          "name": "Delete agent \u2014 DELETE /v1/tenants/{tenantID}/agents/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/agents/{{agentId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "agents",
                "{{agentId}}"
              ]
            }
          }
        },
        {
          "name": "Mint agent token \u2014 POST /v1/agents/token",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"agent_id\": \"{{agentId}}\",\n  \"secret\": \"{{agentSecret}}\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/agents/token",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "agents",
                "token"
              ]
            },
            "description": "Exchange agent credentials for a short-lived, downscoped actor_type=agent token. Use {{agentAccessToken}} for the Vault read."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.access_token) pm.collectionVariables.set('agentAccessToken', b.access_token);"
                ]
              }
            }
          ]
        }
      ]
    },
    {
      "name": "Verifiable Credentials",
      "item": [
        {
          "name": "List credentials \u2014 GET /v1/tenants/{tenantID}/credentials",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/credentials",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "credentials"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const r = pm.response.json();",
                  "const arr = r.items || r.Resources || r;",
                  "if (Array.isArray(arr) && arr.length && arr[0].id !== undefined) pm.collectionVariables.set('credentialId', arr[0].id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Issue credential \u2014 POST /v1/tenants/{tenantID}/credentials",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"subject\": \"{{userId}}\",\n  \"type\": \"EmployeeCredential\",\n  \"claims\": {\n    \"department\": \"engineering\"\n  },\n  \"ttl_seconds\": 3600\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/credentials",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "credentials"
              ]
            },
            "description": "Issue a W3C JWT-VC. Returns {id, credential} \u2014 credential is the signed JWT-VC."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.id) pm.collectionVariables.set('credentialId', b.id);",
                  "if (b.credential) pm.collectionVariables.set('vcJwt', b.credential);"
                ]
              }
            }
          ]
        },
        {
          "name": "Revoke credential \u2014 POST .../credentials/{id}/revoke",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/credentials/{{credentialId}}/revoke",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "credentials",
                "{{credentialId}}",
                "revoke"
              ]
            }
          }
        },
        {
          "name": "Verify credential (public) \u2014 POST /v1/credentials/verify",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "auth": {
              "type": "noauth"
            },
            "body": {
              "mode": "raw",
              "raw": "{\n  \"credential\": \"{{vcJwt}}\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/credentials/verify",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "credentials",
                "verify"
              ]
            },
            "description": "Public: any relying party can verify a presented JWT-VC. Returns validity + revocation."
          }
        }
      ]
    },
    {
      "name": "Auth Hooks (Actions)",
      "item": [
        {
          "name": "List auth hooks \u2014 GET /v1/tenants/{tenantID}/auth-hooks",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/auth-hooks",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "auth-hooks"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const r = pm.response.json();",
                  "const arr = r.items || r.Resources || r;",
                  "if (Array.isArray(arr) && arr.length && arr[0].id !== undefined) pm.collectionVariables.set('authHookId', arr[0].id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Create auth hook \u2014 POST /v1/tenants/{tenantID}/auth-hooks",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"url\": \"https://example.com/auth-hook\",\n  \"secret\": \"hook-signing-secret\",\n  \"fail_open\": true\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/auth-hooks",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "auth-hooks"
              ]
            },
            "description": "Synchronous post-credential allow/deny gate. fail_open=true keeps logins working if the hook endpoint is unreachable."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.id !== undefined) pm.collectionVariables.set('authHookId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Update auth hook \u2014 PATCH /v1/tenants/{tenantID}/auth-hooks/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"enabled\": false,\n  \"fail_open\": true\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/auth-hooks/{{authHookId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "auth-hooks",
                "{{authHookId}}"
              ]
            }
          }
        },
        {
          "name": "Delete auth hook \u2014 DELETE /v1/tenants/{tenantID}/auth-hooks/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/auth-hooks/{{authHookId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "auth-hooks",
                "{{authHookId}}"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Domain Verification",
      "item": [
        {
          "name": "List domains \u2014 GET /v1/tenants/{tenantID}/domains",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/domains",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "domains"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const r = pm.response.json();",
                  "const arr = r.items || r.Resources || r;",
                  "if (Array.isArray(arr) && arr.length && arr[0].id !== undefined) pm.collectionVariables.set('domainId', arr[0].id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Claim domain \u2014 POST /v1/tenants/{tenantID}/domains",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"domain\": \"acme-{{$timestamp}}.example.com\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/domains",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "domains"
              ]
            },
            "description": "Returns the DNS TXT record (name/type/value) to publish for verification."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.id !== undefined) pm.collectionVariables.set('domainId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Verify domain \u2014 POST /v1/tenants/{tenantID}/domains/{id}/verify",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/domains/{{domainId}}/verify",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "domains",
                "{{domainId}}",
                "verify"
              ]
            },
            "description": "Performs the DNS TXT lookup and marks the domain verified if it matches."
          }
        },
        {
          "name": "Remove domain \u2014 DELETE /v1/tenants/{tenantID}/domains/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/domains/{{domainId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "domains",
                "{{domainId}}"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "SIEM / Log Sinks",
      "item": [
        {
          "name": "List log sinks \u2014 GET /v1/tenants/{tenantID}/log-sinks",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/log-sinks",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "log-sinks"
              ]
            }
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const r = pm.response.json();",
                  "const arr = r.items || r.Resources || r;",
                  "if (Array.isArray(arr) && arr.length && arr[0].id !== undefined) pm.collectionVariables.set('logSinkId', arr[0].id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Create log sink \u2014 POST /v1/tenants/{tenantID}/log-sinks",
          "request": {
            "method": "POST",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"type\": \"splunk_hec\",\n  \"endpoint\": \"https://hec.splunk.example.com:8088/services/collector\",\n  \"token\": \"hec-token\"\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/log-sinks",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "log-sinks"
              ]
            },
            "description": "Stream audit/security events to a SIEM. type \u2208 {splunk_hec, datadog, http}."
          },
          "event": [
            {
              "listen": "test",
              "script": {
                "type": "text/javascript",
                "exec": [
                  "const b = pm.response.json();",
                  "if (b.id !== undefined) pm.collectionVariables.set('logSinkId', b.id);"
                ]
              }
            }
          ]
        },
        {
          "name": "Enable/disable sink \u2014 PATCH /v1/tenants/{tenantID}/log-sinks/{id}",
          "request": {
            "method": "PATCH",
            "header": [
              {
                "key": "Content-Type",
                "value": "application/json"
              }
            ],
            "body": {
              "mode": "raw",
              "raw": "{\n  \"enabled\": false\n}"
            },
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/log-sinks/{{logSinkId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "log-sinks",
                "{{logSinkId}}"
              ]
            }
          }
        },
        {
          "name": "Delete sink \u2014 DELETE /v1/tenants/{tenantID}/log-sinks/{id}",
          "request": {
            "method": "DELETE",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/tenants/{{tenantId}}/log-sinks/{{logSinkId}}",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "tenants",
                "{{tenantId}}",
                "log-sinks",
                "{{logSinkId}}"
              ]
            }
          }
        }
      ]
    },
    {
      "name": "Notifications",
      "item": [
        {
          "name": "List notifications \u2014 GET /v1/notifications",
          "request": {
            "method": "GET",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/notifications",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "notifications"
              ]
            },
            "description": "Current principal's in-app inbox + unread count."
          }
        },
        {
          "name": "Mark all read \u2014 POST /v1/notifications/mark-all-read",
          "request": {
            "method": "POST",
            "header": [],
            "url": {
              "raw": "{{baseUrl}}/v1/notifications/mark-all-read",
              "host": [
                "{{baseUrl}}"
              ],
              "path": [
                "v1",
                "notifications",
                "mark-all-read"
              ]
            }
          }
        }
      ]
    }
  ]
}
