Authdog REST API manages identity resources programmatically. Live endpoint
schemas and request examples are available at
[api.authdog.com](https://api.authdog.com); machine-readable OpenAPI JSON is at
[`/v1/openapi`](https://api.authdog.com/v1/openapi).

## Base URL and authentication

Supported public endpoints live under `https://api.authdog.com/v1/...`.
Authenticate every call with a scoped Bearer token:

```bash
curl "https://api.authdog.com/v1/tenants" \
  -H "Authorization: Bearer $AUTHDOG_API_TOKEN"
```

Keep tokens server-side and grant only required scopes. Never embed management
tokens in browser bundles or commit them to source control.

Management GraphQL used by Authdog Console is internal and unsupported for
external integrations. Use REST `/v1` so authentication, errors, and
compatibility follow public API guarantees.

## Responses and compatibility

Success and error schemas are documented per endpoint in OpenAPI. Clients
should handle standard HTTP status codes and JSON error bodies, preserve
unknown response fields, and avoid depending on undocumented properties.
Existing public fields are deprecated before removal; incompatible changes use
a new API version.

## Resource families

The core resources mirror the console:

- **Tenants and environments** — projects and deployment boundaries.
- **Directory** — users, groups, and memberships.
- **Organizations** — customer organizations and invitations.
- **Roles and permissions** — RBAC resources assigned to users and groups.
- **Audit and events** — identity and administrative activity for sync and
  investigation.

## Provisioning endpoints

For automated user lifecycle from external systems:

- **SCIM 2.0** at `/v1/scim/v2`, authenticated with `adscim_` tokens — standard provisioning from IdPs like Okta and Entra ID.
- **HRIS** at `/v1/hris/v1`, authenticated with `adhris_` tokens — inbound employee and department sync from HR systems.

Both are covered in [Provisioning](/docs/concepts/provisioning) and configured per environment in the console.

## Webhooks

Subscribe to identity events and Authdog delivers them to your endpoint. Each request is **HMAC-signed** with an `X-Authdog-Signature: t=...,v1=...` header — verify it before trusting the payload. Delivery uses **durable retry**, so a temporary outage on your side won't drop events.

## Next steps

- [Backend requests](/docs/backend) — validate sessions and call the API from your server.
- [Integrations](/docs/integrations) — connect Authdog to the rest of your stack.
