Skip to main content

Token for Email (Service-to-Service)

Mint a per-user JWT for a known email + platform combination so a trusted upstream system (e.g. another Inovo product that already authenticated the user on its side) can act on behalf of one of its members against Tribe Social APIs.

This endpoint is not for end-user sign-in. Use Sign In for password / OTP flows.

POST /api/auth/token-for-email

Authentication

This endpoint requires a single shared secret in the X-Tribe-Service-Secret header. The value must match process.env.TRIBE_SERVICE_MINT_SECRET on the Tribe Social deployment.

The secret is compared in constant time and must be a high-entropy 32-character random string. Treat it like an API key: store it only in the upstream system's secret manager and rotate it through env changes.

Request

POST /api/auth/token-for-email
X-Tribe-Service-Secret: <shared-secret>
Content-Type: application/json
{
"email": "[email protected]",
"platformId": 1
}
FieldTypeRequiredDescription
emailstringyesThe target user's email. Lookup is scoped by platformId.
platformIdintegeryesThe Tribe Platform the target user belongs to. Prevents cross-tenant token minting.

Response

{
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiresIn": 2592000,
"user": {
"id": 1234,
"email": "[email protected]",
"name": "Member Name",
"role": "basic",
"platformId": 1
}
}

The returned accessToken is a standard Tribe Social JWT ({ id }, HS256) with a 30-day lifetime. It can be presented anywhere the normal user JWT is accepted: the token header, the signed cookie, or as a token= query parameter on the chat/content embed URLs.

Security guarantees

ThreatMitigation
Anonymous attacker hits the endpointRejected with 401 unless X-Tribe-Service-Secret matches.
Cross-tenant access (caller asks for a user on a different platform)Returns 404; lookup is scoped by platformId.
Email enumerationSame 404 for "no user" and "user on a different platform"; no timing distinction between the two paths.

TRIBE_SERVICE_MINT_SECRET is the only security boundary. The endpoint mints for any role (basic, free, premium, admin, creator) so upstream apps with mixed user populations work end-to-end. Treat the secret as platform-wide privileged: leaking it is equivalent to compromising every account on the platform.

Every call — success or failure — emits a structured audit log line with targetEmail, targetUserId, targetRole, platformId, ip, outcome, and issuedAt, suitable for downstream alerting.

Error Responses

// 401 Unauthorized — missing/invalid X-Tribe-Service-Secret
{
"error": {
"status": 401,
"code": "UNAUTHORIZED",
"message": "Invalid service secret"
}
}

// 400 Bad Request — missing or malformed `email` / `platformId`
{
"error": {
"status": 400,
"code": "BAD_REQUEST",
"message": "`email` is required"
}
}

// 404 Not Found — no user with that email on the given platform
{
"error": {
"status": 404,
"code": "NOT_FOUND",
"message": "No user with that email on this platform"
}
}

Deployment

Set the shared secret on the Tribe Social server before the endpoint will accept any requests:

# .env on the Tribe Social server
TRIBE_SERVICE_MINT_SECRET=<32-char random string>

If TRIBE_SERVICE_MINT_SECRET is unset, the endpoint returns 401 for every call.