Your organization’s API key
Email address of the user to authenticate. The user must already be provisioned in Trellis with an active status — auto-creation on first login is no longer supported. Send in normalized form (
email.strip().lower()).HMAC-SHA256 of the normalized email under the shared secret issued to your backend, base64url-encoded without padding. Exactly 43 ASCII characters from
[A-Za-z0-9_-]. The HMAC binds this specific email to the request — Trellis recomputes HMAC(secret, email) server-side using the email from the request and rejects any pair where the two don’t match. A user_key is a signature over one specific email, not a standalone identifier; mixing one user’s email with another user’s user_key always returns 401. See Authentication for the derivation algorithm and reference implementations.Response
JWT token to use for subsequent API requests. Valid for 6 hours.
Unique identifier of the authenticated user.
Unique identifier of the organization the user belongs to.
ISO 8601 timestamp when the token expires.