Dashboard
How it Works Documentation Quick Start PAPI — Pages & Assets MAPI — Dynamic Data Integrations SAPI — Sessions & Forms MCP Server OpenClaw Skill Tools Deploy Dashboard
Integrations Platform Built-in Tenant Auth
Tenant Auth

Tenant Auth

⚡ Built-in — Platform Built-in

Multi-tenant client portal authentication. Per-user accounts with email one-time-code (OTP) and/or password login, tenant isolation via tenant_code, short-lived access tokens with rotating refresh tokens, session audit log. Sibling of admin_auth (site-admin) — tenant_auth is for end-users/tenants.

⚡ Built-in — No Setup Required This integration is built into the WebsitePublisher platform. All endpoints are available immediately — no API key needed.

Endpoints (14)

POST request-code

Request a 6-digit login code by email (method: email_otp). Always returns success — no user enumeration. Code valid for config.code_ttl_seconds (default 600s), single-use.

Field Type Required Description
email string ✓ Yes Tenant user email address
POST verify-code

Verify a 6-digit login code and receive an access token (wst_) + refresh token (rft_). On success the session carries the resolved tenant_code.

Field Type Required Description
email string ✓ Yes Tenant user email address
code string ✓ Yes 6-digit code from the email
POST login

Authenticate with email + password (method: password) and receive an access token (wst_) + refresh token (rft_).

Field Type Required Description
email string ✓ Yes Tenant user email address
password string ✓ Yes Tenant user password
POST verify

Verify an access token. Returns { valid, email, tenant_code, tenant_user_id }. Updates last_used_at.

Field Type Required Description
token string ✓ Yes Access token (wst_...)
POST refresh

Exchange a refresh token (rft_) for a new access token + new refresh token. Rotates in-place; the old tokens become invalid.

Field Type Required Description
refresh_token string ✓ Yes Refresh token (rft_...)
POST logout

Invalidate an access token (and its refresh token).

Field Type Required Description
token string ✓ Yes Access token to invalidate (wst_...)
POST create_user

Create a tenant user for this project. password optional (NULL = code-only user). Password stored as peppered bcrypt hash.

Field Type Required Description
email string ✓ Yes Email address for the new tenant user
tenant_code string ✓ Yes Tenant the user belongs to
password string No Optional password (omit for code-only users)
role string No Optional role (default: member)
POST list_users

List active tenant users for this project, optionally filtered by tenant_code.

Field Type Required Description
tenant_code string No Optional: filter by tenant
POST delete_user

Deactivate a tenant user and invalidate all their active sessions.

Field Type Required Description
email string ✓ Yes Email address of the tenant user to deactivate
POST update_password

Set/replace the password for a tenant user (admin-side). Invalidates all active sessions.

Field Type Required Description
email string ✓ Yes Email address of the tenant user
password string ✓ Yes New password
POST set_tenant_code

Reassign a tenant user to a different tenant_code. Invalidates active sessions (forces re-auth under the new tenant).

Field Type Required Description
email string ✓ Yes Email address of the tenant user
tenant_code string ✓ Yes New tenant_code
POST list_sessions

List active sessions for this project. Shows email, tenant_code, IP, created_at, last_used_at.

Field Type Required Description
email string No Optional: filter sessions by user email
POST get_config

Get the tenant_auth configuration for this project (methods, require_provisioned, success_url, TTLs).

No input parameters required.

POST configure

Create or update the tenant_auth configuration for this project. Only provided fields are changed.

Field Type Required Description
methods array No Enabled methods, subset of ["email_otp","password"]
require_provisioned boolean No Only existing active tenant users may authenticate (default true)
success_url string No Relative URL to redirect to after successful login (e.g. /assessment-library.htm)
code_ttl_seconds integer No OTP code lifetime in seconds (default 600)
access_ttl_hours integer No Access token lifetime in hours (default 24)
refresh_ttl_days integer No Refresh token lifetime in days (default 14)

MCP Tool Names

When using this integration through an AI assistant (Claude, ChatGPT, Cursor, etc.), the endpoints are available as MCP tools:

EndpointMCP Tool Name
request-code tenant_auth_request_code
verify-code tenant_auth_verify_code
login tenant_auth_login
verify tenant_auth_verify
refresh tenant_auth_refresh
logout tenant_auth_logout
create_user tenant_auth_create_user
list_users tenant_auth_list_users
delete_user tenant_auth_delete_user
update_password tenant_auth_update_password
set_tenant_code tenant_auth_set_tenant_code
list_sessions tenant_auth_list_sessions
get_config tenant_auth_get_config
configure tenant_auth_configure
← Back to all integrations