Authentication & Tokens
Lumetry API requests use Bearer tokens:
Authorization: Bearer {token}
For machine-to-machine integrations, use a Lumetry API token created from an interactive console session. Browser users sign in through the configured identity provider; integrations should not automate the browser login flow. The console refreshes interactive sessions while the browser tab remains active. If the identity-provider session expires or is revoked, the user is sent back to sign in.
When an interactive identity is reprovisioned, Lumetry preserves its workspace identity and existing API-token ownership only after the new identity's active workspace membership has been verified.
Token types
| Token | Use it for | Notes |
|---|---|---|
| Interactive access token | Console-driven API calls by a signed-in user. | Short-lived and issued by the configured identity provider. |
| API token | Automation such as metric ingestion, CMDB sync, and CI scripts. | Long-lived opaque token created from the console. The secret is shown once. |
API tokens are scoped to the user and workspace that created them. They authorize requests with the permission set captured when the token is created, and can be revoked at any time. Later role changes do not rescope an existing token; revoke and reissue it to change its permissions. The token string identifies its workspace on its own, so no extra workspace configuration is needed on the client; treat the full string as a single opaque secret and do not modify it.
API-token-authenticated requests cannot create or revoke API tokens. Manage API tokens from an interactive console session.
GET /api/auth/me
Return the current authenticated user and effective permissions. Use this endpoint before showing or attempting privileged actions.
{
"id": 42,
"username": "alice",
"email": "alice@example.com",
"displayName": "Alice Doe",
"authProviderType": "Oidc",
"roles": ["Admin"],
"permissions": ["CanViewAlerts", "CanManageRules", "CanIngestMetrics"]
}
| Field | Meaning |
|---|---|
id | Numeric Lumetry user ID used by user-owned resources and audit fields. |
authProviderType | Identity-provider category associated with the authenticated principal. |
roles | User-facing Lumetry roles. |
permissions | Permission keys enforced by the API. |
API Tokens
API tokens are intended for automation:
- pushing metric points through the ingestion API;
- synchronizing topology from a CMDB;
- registering or updating metric definitions from a trusted integration;
- reading operational state for downstream tooling.
GET /api/auth/api-tokens
List the caller's API tokens. The secret is never returned after creation.
[
{
"id": 12,
"name": "servicenow-sync",
"tokenPrefix": "lmt_3f9a",
"expiresAt": "2027-06-02T00:00:00Z",
"revokedAt": null,
"lastUsedAt": "2026-06-02T08:59:00Z",
"createdAt": "2026-06-02T09:00:00Z",
"isActive": true
}
]
| Field | Meaning |
|---|---|
tokenPrefix | Non-secret display prefix for recognizing a token in lists. |
expiresAt / revokedAt | Configured expiry and revocation time. |
lastUsedAt | Approximate last-seen timestamp. It may be updated on a throttle rather than every request. |
isActive | Whether the token is currently usable. |
POST /api/auth/api-tokens
Create an API token. The plaintext token is returned exactly once.
{
"name": "servicenow-sync",
"expiresInDays": 365
}
Response 201
{
"token": {
"id": 12,
"name": "servicenow-sync",
"tokenPrefix": "lmt_3f9a",
"expiresAt": "2027-06-02T00:00:00Z",
"revokedAt": null,
"lastUsedAt": null,
"createdAt": "2026-06-02T09:00:00Z",
"isActive": true,
"permissions": ["CanViewAlerts", "CanManageRules"]
},
"plainTextToken": "lmt_3f9a8b7c6d5e..."
}
Store plainTextToken immediately and send it on subsequent requests:
Authorization: Bearer lmt_3f9a8b7c6d5e...
It cannot be retrieved again.
DELETE /api/auth/api-tokens/{id}
Revoke a token by integer id. Revocation is immediate.
Users, Roles, And Access
User and role administration requires user-management permission.
| Method & path | Purpose |
|---|---|
GET /api/rbac/permissions | List available permission keys. |
GET /api/rbac/capabilities | Report optional access-management capabilities, including directoryManagement. |
GET /api/rbac/roles | List roles and their effective permission sets. |
GET /api/rbac/members | List members and assigned roles. |
POST /api/rbac/members | Create or link a member (email, firstName, lastName, optional roles). |
PUT /api/rbac/roles/{role}/permissions | Replace a role's permission binding. |
POST /api/rbac/roles/{role}/reset | Reset a role to its default permissions. |
PUT /api/rbac/members/{subject}/roles | Replace a member's role assignments. |
GET /api/rbac/directory | Read the managed LDAP/AD federation configuration without its bind password. |
PUT /api/rbac/directory | Create or update read-only LDAP/AD federation. |
DELETE /api/rbac/directory | Remove federation and its managed directory groups. |
POST /api/rbac/directory/test | Test connection and bind authentication without saving. |
POST /api/rbac/directory/sync | Synchronize directory users and groups. |
GET /api/rbac/directory/groups | List imported groups and their mapped roles. |
GET /api/rbac/group-bindings/{groupId} | Read one imported group's role mapping. |
PUT /api/rbac/group-bindings/{groupId} | Map an imported group to a fixed Lumetry role. |
DELETE /api/rbac/group-bindings/{groupId} | Remove an imported group's role mapping. |
GET /api/audit-logs | Read the append-only audit log of sensitive changes. |
Callers may only assign roles or permissions they are allowed to grant.
Directory endpoints are available only for managed on-prem deployments. Directory-derived
roles are returned with a Directory:<group> source and cannot be removed through the
manual member-role endpoint. The LDAP bind password is accepted on write but never returned.
When directoryManagement is false, directory and group-binding endpoints return 404.