Skip to main content

Accept Invitation

POST 

/api/v1/auth/accept-invite

Accept a workspace invitation and optionally set password.

Security features (Issue #67):

  • Uses Invitation model with hashed token storage
  • Atomic transaction prevents race conditions on double-accept
  • Token validated via SHA256 hash comparison
  • Single-use enforcement (used_at timestamp)
  • Sibling invites auto-revoked on acceptance
  • Clears stale verification tokens on acceptance

Phase 77 WR-03 — strict email-match guard against authenticated session. If the request carries a valid JWT and the authenticated user's email does NOT match the invitation's email, reject with 409 + error_code INVITE_EMAIL_MISMATCH. Mirrors the guard in google_mobile_api.py and invite_sso_service.resolve_for_callback so the threat-model claim "Email-mismatch: must NOT add user to workspace" is enforced on the password path as well as the Google path. The mobile client now force-logs-out before reaching this endpoint (CR-01), so this is a defense-in-depth check for any other caller (web, raw API consumers).

Args: data.token: Invitation token (plaintext, will be hashed for lookup) data.invite_id: Invitation ID (UUID) data.password: New password (optional for existing users with password)

Returns: 200: Success with access/refresh tokens 400: Invalid state (already used, revoked, expired, invalid password) 404: Invalid token/invite_id combination 409: Authenticated session email does not match invitation email

Request

Responses

OK