POST /v1/auth/invitations/accept
Accept an invitation. Two modes:
- New user — body includes
password(and optionaldisplay_name). Creates the user, adds the membership, and returns a new browser session. - Existing user (already signed in) — only
tokenis required. Adds the membership in the invited org and returns 204.
::: tip Auth Optional. When present, the caller's email must match the invite email. :::
Request
POST /v1/auth/invitations/accept
| Header | Required | Notes |
|---|---|---|
Content-Type: application/json | yes | — |
Cookie: identsphere_at=... OR Authorization: Bearer ... | no | If present, the caller is treated as an existing user. |
Body
{
"token": "abc123...",
"password": "a-fresh-secret-with-12-chars-min",
"display_name": "Carol C."
}
| Field | Type | Required | Notes |
|---|---|---|---|
token | string | yes | The raw invite token. |
password | string | null | new users only | 12–256 chars. |
display_name | string | null | no | — |
Response
200 OK (new user)
A full LoginResponse::Success body — the user is signed in.
204 No Content (existing logged-in user)
Membership added in the invited org. No new session is issued; the caller keeps their existing session.
Error responses
| Status | Code | When |
|---|---|---|
| 400 | invalid_input | Token missing, password missing for a new-user accept, or password fails length validation. |
| 401 | authentication_required | Token doesn't match any invitation. |
| 403 | forbidden | Authenticated caller's email doesn't match the invite. |
| 409 | conflict | Invitation already accepted, revoked, or expired. |
| 500 | internal_error | DB or JWT failure. |
Notes
- Membership is upsert: if the user is already a member of the org, the role is updated to the invite's role.
- The invitation status is set to
acceptedandaccepted_at = now(). - New users created through this endpoint have
email_verified: true— they proved control of the address by clicking the link. - An audit entry (
members.invitation_accepted) is recorded.