Token for Email (Service-to-Service)
Mint a per-user JWT for a known email + platform combination so a trusted upstream system (e.g. another Inovo product that already authenticated the user on its side) can act on behalf of one of its members against Tribe Social APIs.
This endpoint is not for end-user sign-in. Use Sign In for password / OTP flows.
POST /api/auth/token-for-email
Authentication
This endpoint requires a single shared secret in the X-Tribe-Service-Secret header. The value must match process.env.TRIBE_SERVICE_MINT_SECRET on the Tribe Social deployment.
The secret is compared in constant time and must be a high-entropy 32-character random string. Treat it like an API key: store it only in the upstream system's secret manager and rotate it through env changes.
Request
POST /api/auth/token-for-email
X-Tribe-Service-Secret: <shared-secret>
Content-Type: application/json
{
"email": "[email protected]",
"platformId": 1
}
| Field | Type | Required | Description |
|---|---|---|---|
email | string | yes | The target user's email. Lookup is scoped by platformId. |
platformId | integer | yes | The Tribe Platform the target user belongs to. Prevents cross-tenant token minting. |
Response
{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiresIn": 2592000,
"user": {
"id": 1234,
"email": "[email protected]",
"name": "Member Name",
"role": "basic",
"platformId": 1
}
}
The returned accessToken is a standard Tribe Social JWT ({ id }, HS256) with a 30-day lifetime. It can be presented anywhere the normal user JWT is accepted: the token header, the signed cookie, or as a token= query parameter on the chat/content embed URLs.
Security guarantees
| Threat | Mitigation |
|---|---|
| Anonymous attacker hits the endpoint | Rejected with 401 unless X-Tribe-Service-Secret matches. |
| Cross-tenant access (caller asks for a user on a different platform) | Returns 404; lookup is scoped by platformId. |
| Email enumeration | Same 404 for "no user" and "user on a different platform"; no timing distinction between the two paths. |
TRIBE_SERVICE_MINT_SECRET is the only security boundary. The endpoint mints for any role (basic, free, premium, admin, creator) so upstream apps with mixed user populations work end-to-end. Treat the secret as platform-wide privileged: leaking it is equivalent to compromising every account on the platform.
Every call — success or failure — emits a structured audit log line with targetEmail, targetUserId, targetRole, platformId, ip, outcome, and issuedAt, suitable for downstream alerting.
Error Responses
// 401 Unauthorized — missing/invalid X-Tribe-Service-Secret
{
"error": {
"status": 401,
"code": "UNAUTHORIZED",
"message": "Invalid service secret"
}
}
// 400 Bad Request — missing or malformed `email` / `platformId`
{
"error": {
"status": 400,
"code": "BAD_REQUEST",
"message": "`email` is required"
}
}
// 404 Not Found — no user with that email on the given platform
{
"error": {
"status": 404,
"code": "NOT_FOUND",
"message": "No user with that email on this platform"
}
}
Deployment
Set the shared secret on the Tribe Social server before the endpoint will accept any requests:
# .env on the Tribe Social server
TRIBE_SERVICE_MINT_SECRET=<32-char random string>
If TRIBE_SERVICE_MINT_SECRET is unset, the endpoint returns 401 for every call.