Accept Invitation

POST /api/v1/auth/accept-invite

Accept a workspace invitation and optionally set password.

Security features (Issue #67):

Uses Invitation model with hashed token storage
Atomic transaction prevents race conditions on double-accept
Token validated via SHA256 hash comparison
Single-use enforcement (used_at timestamp)
Sibling invites auto-revoked on acceptance
Clears stale verification tokens on acceptance

Args: data.token: Invitation token (plaintext, will be hashed for lookup) data.invite_id: Invitation ID (UUID) data.password: New password (optional for existing users with password)

Returns: 200: Success with access/refresh tokens 400: Invalid state (already used, revoked, expired, invalid password) 404: Invalid token/invite_id combination

Accept Invitation

/api/v1/auth/accept-invite

Request

Responses

Accept Invitation

/api/v1/auth/accept-invite

Request​

Responses​

Request

Responses