cc
POST /auth/tokens

Rate-limited to 5 requests per 15 minutes per IP. Tokens are opaque and stored server-side. Scopes are additive; request only what you need. Tokens expire after expires_in_days (default 30, max 90).

application/json

Body Required

  • email string(email) Required

    Maximum length is 255.

  • password string(password) Required

    Not stored or logged. Used only to verify identity.

    Minimum length is 8, maximum length is 128.

  • token_name string Required

    Descriptive label for the token (e.g., local-agent, ci-bot). Must be unique per user.

    Maximum length is 50. Format should match the following pattern: ^[a-zA-Z0-9_-]+$.

  • expires_in_days integer

    Minimum value is 1, maximum value is 90. Default value is 30.

  • scopes array[string]

    Requested scopes. Grant only what the client needs. runs:read — list and inspect runs, samples, history. runs:write — trigger, cancel, retry runs. results:read — access expected/actual output, diffs, errors, logs. baselines:write — approve new expected baselines. system:read — queue, infrastructure errors, stack traces, artifacts.

    Not more than 8 elements. Values are runs:read, runs:write, results:read, baselines:write, or system:read. Default value is ["runs:read", "results:read"].

Responses

  • 201 application/json

    Token created. Store the token value; it will not be shown again.

    Hide response attributes Show response attributes object
    • token string Required

      Opaque token value. Store it securely. It will not be shown again.

      Maximum length is 512.

    • token_type string Required

      Value is Bearer.

    • token_name string Required

      Maximum length is 50.

    • scopes array[string] Required

      Not more than 8 elements. Values are runs:read, runs:write, results:read, baselines:write, or system:read.

    • expires_at string(date-time) Required
  • 400 application/json

    Request body or query parameters failed schema validation

    Hide response attributes Show response attributes object
    • code string Required

      Machine-readable error code (snake_case)

      Maximum length is 100.

    • message string Required

      Human-readable error summary

      Maximum length is 500.

    • details object Required

      Structured context for the error. Always an object, never null. Empty object {} when no additional detail is available.

      Additional properties are allowed.
  • 401 application/json

    Invalid credentials

    Hide response attributes Show response attributes object
    • code string Required

      Machine-readable error code (snake_case)

      Maximum length is 100.

    • message string Required

      Human-readable error summary

      Maximum length is 500.

    • details object Required

      Structured context for the error. Always an object, never null. Empty object {} when no additional detail is available.

      Additional properties are allowed.
  • 429 application/json

    Too many requests. Retry after the indicated number of seconds.

    Hide headers attributes Show headers attributes
    • Retry-After integer

      Seconds to wait before retrying

    • X-RateLimit-Limit

      Maximum requests allowed in the current window

    • X-RateLimit-Remaining

      Requests remaining in the current window

    • X-RateLimit-Reset

      Unix timestamp when the rate limit window resets

    Hide response attributes Show response attributes object
    • code string Required

      Machine-readable error code (snake_case)

      Maximum length is 100.

    • message string Required

      Human-readable error summary

      Maximum length is 500.

    • details object Required

      Structured context for the error. Always an object, never null. Empty object {} when no additional detail is available.

      Additional properties are allowed.
  • default application/json

    Unexpected server error

    Hide response attributes Show response attributes object
    • code string Required

      Machine-readable error code (snake_case)

      Maximum length is 100.

    • message string Required

      Human-readable error summary

      Maximum length is 500.

    • details object Required

      Structured context for the error. Always an object, never null. Empty object {} when no additional detail is available.

      Additional properties are allowed.
POST /auth/tokens 
curl \
 --request POST 'https://sampleplatform.ccextractor.org/api/v1/auth/tokens' \
 --header "Content-Type: application/json" \
 --data '{"email":"hello@example.com","password":"string","token_name":"string","expires_in_days":30,"scopes":["runs:read","results:read"]}'
Request examples 
{
  "email": "hello@example.com",
  "password": "string",
  "token_name": "string",
  "expires_in_days": 30,
  "scopes": [
    "runs:read",
    "results:read"
  ]
}
Response examples (201) 
{
  "token": "string",
  "token_type": "Bearer",
  "token_name": "string",
  "scopes": [
    "runs:read"
  ],
  "expires_at": "2026-05-04T09:42:00Z"
}
Response examples (400) 
{
  "code": "validation_error",
  "message": "Request failed schema validation.",
  "details": {
    "fields": {
      "commit_sha": "Must match pattern ^[a-fA-F0-9]{40}$",
      "platform": "Must be one of [linux, windows]"
    }
  }
}
Response examples (401) 
{
  "code": "invalid_credentials",
  "message": "Email or password is incorrect.",
  "details": {}
}
Response examples (429) 
{
  "code": "rate_limited",
  "message": "Rate limit exceeded. Retry after 30 seconds.",
  "details": {
    "retry_after": 30,
    "limit": 120,
    "window": "60s"
  }
}
Response examples (default) 
{
  "code": "not_found",
  "message": "Run 9317 not found.",
  "details": {}
}