Signing in
POST /v1/auth/loginwith email + password, and thex-program-idheader.- Complete the 2FA challenge with
POST /v1/auth/verify-2fa(TOTP). Operators are expected to have 2FA set up; usePOST /v1/auth/mfa/setup+confirmon first login. - Use the returned
access_tokenasAuthorization: Bearer <access_token>on every Management API call.
Roles and permissions
The token’s claims determine what an operator can do:| Role | Scope |
|---|---|
PROGRAM_SUPER_ADMIN / PROGRAM_ADMIN | Administration within their program(s). |
CUSTODIAN / CUSTODIAN_ADMIN | Scoped access to the customers they manage. |
transactions.view, payments.create, reports.view, audit.trail.view,
triage.edit). Each endpoint’s required claim is noted on its page.
Two introspection endpoints help you build operator UIs:
GET /v1/access-management/me— who am I: the caller’s profile and role.GET /v1/access-management/program-claims— which programs this operator can act on, with per-program access metadata. A claim of*means all programs.