# Scute

## Docs

- [Create API key](https://docs.scute.io/api-reference/api-keys/create-api-key.md): Create a new API key for the app
- [Delete API key](https://docs.scute.io/api-reference/api-keys/delete-api-key.md): Revoke an API key
- [List API keys](https://docs.scute.io/api-reference/api-keys/list-api-keys.md): Retrieve all API keys associated with an app
- [Show API key](https://docs.scute.io/api-reference/api-keys/show-api-key.md): Retrieve details for an individual API key
- [Update API key](https://docs.scute.io/api-reference/api-keys/update-api-key.md): Update the nickname for an existing API key
- [Create app](https://docs.scute.io/api-reference/apps/create-app.md): Create a new app. Requires API Secret only (app or workspace key). Workspace is resolved from: explicit workspace_id param, workspace API key bearer, or app API key's workspace.
- [Delete app](https://docs.scute.io/api-reference/apps/delete-app.md): Soft-delete an app. Requires API Secret only.
- [List apps](https://docs.scute.io/api-reference/apps/list-apps.md): Get all apps for a workspace. Requires API Secret (app or workspace). Pass workspace via X-Workspace header or workspace_id param.
- [Show app](https://docs.scute.io/api-reference/apps/show-app.md): Get public app configuration. No authentication required.
- [Update app](https://docs.scute.io/api-reference/apps/update-app.md): Update an existing app. Requires both API Secret and User Access Token.
- [List auth providers](https://docs.scute.io/api-reference/auth-providers/list-auth-providers.md): Retrieve merged list of email, oauth, and message auth providers for an app
- [Upsert auth provider](https://docs.scute.io/api-reference/auth-providers/upsert-auth-provider.md): Create or update an auth provider for the app
- [Cancel a challenge](https://docs.scute.io/api-reference/challenges/cancel-a-challenge.md): Cancel an active challenge. This is a soft cancellation - the challenge will be marked as cancelled but not deleted.
- [Create a challenge](https://docs.scute.io/api-reference/challenges/create-a-challenge.md): Create a new challenge for authentication, MFA, step-up verification, or custom flows.
- [Deny a challenge](https://docs.scute.io/api-reference/challenges/deny-a-challenge.md): Explicitly deny/reject a challenge. Used for push-based approvals or when the user wants to reject a verification request.
- [Get challenge status](https://docs.scute.io/api-reference/challenges/get-challenge-status.md): Retrieve the current status of a challenge. Use this to poll for challenge state or display remaining time/attempts to the user.
- [Resend challenge](https://docs.scute.io/api-reference/challenges/resend-challenge.md): Resend a challenge delivery (OTP code or magic link). This cancels the current challenge and creates a new one with a fresh code.
- [Verify a challenge](https://docs.scute.io/api-reference/challenges/verify-a-challenge.md): Submit verification for a challenge.
- [List events](https://docs.scute.io/api-reference/events/list-events.md): Retrieve paginated list of events for an application
- [Create M2M access token](https://docs.scute.io/api-reference/m2m-sessions/create-m2m-access-token.md): Create a machine-to-machine session and return long-lived JWT credentials
- [List all M2M sessions for an app](https://docs.scute.io/api-reference/m2m-sessions/list-all-m2m-sessions-for-an-app.md): Retrieve all machine-to-machine sessions created for the given app
- [Refresh the M2M access token](https://docs.scute.io/api-reference/m2m-sessions/refresh-the-m2m-access-token.md): Rotate the access token for the active machine-to-machine session using the refresh token
- [Revoke a specific M2M session](https://docs.scute.io/api-reference/m2m-sessions/revoke-a-specific-m2m-session.md): Delete a machine-to-machine session by ID using API key authentication
- [Revoke the current M2M session](https://docs.scute.io/api-reference/m2m-sessions/revoke-the-current-m2m-session.md): Invalidate the caller's active machine-to-machine session
- [Verify the active M2M session](https://docs.scute.io/api-reference/m2m-sessions/verify-the-active-m2m-session.md): Validate the caller's JWT belongs to an active machine-to-machine session
- [Authenticate with magic link](https://docs.scute.io/api-reference/magic-links/authenticate-with-magic-link.md): Authenticate a magic link token and return session tokens. This endpoint validates the magic link token and creates a new session for the user.
- [Check magic link status](https://docs.scute.io/api-reference/magic-links/check-magic-link-status.md): Poll to check if a magic link has been activated. Once activated, this endpoint returns authentication tokens. This enables cross-device login flows where the user initiates login on one device and completes it on another.
- [Confirm workspace invitation](https://docs.scute.io/api-reference/magic-links/confirm-workspace-invitation.md): Confirm a workspace invitation using magic link token and optionally provide required user metadata. Returns session tokens upon successful confirmation.
- [Send login magic link](https://docs.scute.io/api-reference/magic-links/send-login-magic-link.md): Send a login magic link email to the user. The user will receive an email with a link to complete their login. If the email doesn't exist, a new user will be created.
- [Send registration magic link](https://docs.scute.io/api-reference/magic-links/send-registration-magic-link.md): Send a registration magic link email to the user. The user will receive an email with a link to complete their registration.
- [List message service providers](https://docs.scute.io/api-reference/message-service-providers/list-message-service-providers.md): Retrieve the configured message delivery providers for the specified app
- [Update message service provider](https://docs.scute.io/api-reference/message-service-providers/update-message-service-provider.md): Update an existing message service provider configuration
- [Upsert message service provider](https://docs.scute.io/api-reference/message-service-providers/upsert-message-service-provider.md): Create or update a message service provider configuration for the app
- [Dismiss notification](https://docs.scute.io/api-reference/notifications/dismiss-notification.md): Dismiss a notification (only works for dismissible notifications)
- [Get notification](https://docs.scute.io/api-reference/notifications/get-notification.md): Retrieve a single notification by ID
- [Get notification statistics](https://docs.scute.io/api-reference/notifications/get-notification-statistics.md): Get notification statistics for the authenticated user including counts by priority and category
- [List notifications](https://docs.scute.io/api-reference/notifications/list-notifications.md): Retrieve paginated list of notifications for the authenticated user
- [Mark all notifications as read](https://docs.scute.io/api-reference/notifications/mark-all-notifications-as-read.md): Mark all unread notifications as read for the authenticated user
- [Mark notification as read](https://docs.scute.io/api-reference/notifications/mark-notification-as-read.md): Mark a single notification as read
- [Initiate OAuth authorization](https://docs.scute.io/api-reference/oauth/initiate-oauth-authorization.md): Initiate OAuth authorization flow by redirecting to the provider's authorization endpoint. The provider must be configured for the app.
- [OAuth callback handler](https://docs.scute.io/api-reference/oauth/oauth-callback-handler.md): Handle OAuth callback from provider. Exchanges authorization code for access token, fetches user info, creates or finds user, and redirects to app with a magic link token for authentication.
- [App](https://docs.scute.io/api-reference/objects/app.md)
- [Challenge](https://docs.scute.io/api-reference/objects/challenge.md)
- [Event](https://docs.scute.io/api-reference/objects/event.md)
- [Scute Session](https://docs.scute.io/api-reference/objects/scute-session.md)
- [User](https://docs.scute.io/api-reference/objects/user.md)
- [Workspace](https://docs.scute.io/api-reference/objects/workspace.md)
- [Send OTP code](https://docs.scute.io/api-reference/otp/send-otp-code.md): Send a one-time passcode to the user's phone number via SMS or email. Creates a new user if the identifier doesn't exist.
- [Verify OTP code](https://docs.scute.io/api-reference/otp/verify-otp-code.md): Verify a one-time passcode and return session tokens. The user_id parameter is the challenge token returned from the /otps/login endpoint.
- [Get JWKS (JSON Web Key Set) for JWT verification](https://docs.scute.io/api-reference/rsa-keys/get-jwks-json-web-key-set-for-jwt-verification.md): Returns the public key in JWKS format for JWT token verification. This endpoint is PUBLIC and requires no authentication.
- [Get RSA public key for JWT verification](https://docs.scute.io/api-reference/rsa-keys/get-rsa-public-key-for-jwt-verification.md): Returns the RSA public key for JWT token verification. This endpoint is PUBLIC and requires no authentication.
- [Get current user](https://docs.scute.io/api-reference/session-management/get-current-user.md): Get detailed profile information for the currently authenticated user. Requires a valid access token.
- [List all sessions](https://docs.scute.io/api-reference/session-management/list-all-sessions.md): List all active sessions for the currently authenticated user. Requires a valid access token.
- [Revoke session](https://docs.scute.io/api-reference/session-management/revoke-session.md): Revoke a specific session by ID for the authenticated user. This will invalidate the session and require re-authentication. Requires a valid access token.
- [Sign out current user](https://docs.scute.io/api-reference/session-management/sign-out-current-user.md): Sign out the current user and invalidate their session. Requires a valid access token.
- [Update current user metadata](https://docs.scute.io/api-reference/session-management/update-current-user-metadata.md): Update the metadata for the currently authenticated user. Requires a valid access token.
- [Refresh access token](https://docs.scute.io/api-reference/tokens/refresh-access-token.md): Refresh the access token using a valid refresh token. The refresh token must be provided in the Authorization header.
- [Verify access token](https://docs.scute.io/api-reference/tokens/verify-access-token.md): Verify that an access token is valid and not expired. Requires a valid access token in the Authorization header.
- [Verify refresh token](https://docs.scute.io/api-reference/tokens/verify-refresh-token.md): Verify that a refresh token is valid and not expired. Requires a valid refresh token in the Authorization header.
- [Create user meta field](https://docs.scute.io/api-reference/user-meta-fields/create-user-meta-field.md): Create a new user meta field for the application
- [Delete user meta field](https://docs.scute.io/api-reference/user-meta-fields/delete-user-meta-field.md): Delete a user meta field
- [List user meta fields](https://docs.scute.io/api-reference/user-meta-fields/list-user-meta-fields.md): Get all user meta fields for an application (public endpoint)
- [Update meta fields positions](https://docs.scute.io/api-reference/user-meta-fields/update-meta-fields-positions.md): Update the display order of user meta fields
- [Update user meta field](https://docs.scute.io/api-reference/user-meta-fields/update-user-meta-field.md): Update an existing user meta field
- [Activate user](https://docs.scute.io/api-reference/users/activate-user.md): Activate a deactivated user
- [Create user](https://docs.scute.io/api-reference/users/create-user.md): Create a new user with email or phone identifier. Accepts app API secret or workspace API secret.
- [Deactivate user](https://docs.scute.io/api-reference/users/deactivate-user.md): Deactivate an active user
- [Delete user](https://docs.scute.io/api-reference/users/delete-user.md): Delete a user from the app
- [Import users](https://docs.scute.io/api-reference/users/import-users.md): Bulk import multiple users from CSV/JSON data. Requires email column to be present.
- [Invite user](https://docs.scute.io/api-reference/users/invite-user.md): Invite a new user to the app, creates user with pending status and sends invitation email
- [List users](https://docs.scute.io/api-reference/users/list-users.md): Get a paginated list of users with optional filtering. Accepts app API secret or workspace API secret (for apps in that workspace).
- [Show user](https://docs.scute.io/api-reference/users/show-user.md): Get a specific user by ID
- [Update user metadata](https://docs.scute.io/api-reference/users/update-user-metadata.md): Update user metadata using the user ID from the path
- [Autocomplete search by identifier](https://docs.scute.io/api-reference/verification/autocomplete-search-by-identifier.md): Search for users by identifier (email or phone) within the current app
- [Create verification](https://docs.scute.io/api-reference/verification/create-verification.md): Create a verification (challenge) for the provided identifier
- [Create verification with intent](https://docs.scute.io/api-reference/verification/create-verification-with-intent.md): Create a verification using intent metadata (Thread integration)
- [List verification requests](https://docs.scute.io/api-reference/verification/list-verification-requests.md): Get all verification requests for the current app
- [Show verification request](https://docs.scute.io/api-reference/verification/show-verification-request.md): Get details of a specific verification request
- [Verify code](https://docs.scute.io/api-reference/verification/verify-code.md): Verify a verification request with the provided code or token
- [Finalize WebAuthn device registration](https://docs.scute.io/api-reference/webauthn/finalize-webauthn-device-registration.md): Complete registration of a new WebAuthn device by verifying the credential response. Use the SDK instead of calling this manually. Requires a valid access token.
- [Finalize WebAuthn login](https://docs.scute.io/api-reference/webauthn/finalize-webauthn-login.md): Finalize a WebAuthn authentication ceremony by verifying the credential assertion from the browser. Returns session tokens upon successful verification. Use the SDK instead of calling this manually.
- [Finalize WebAuthn registration](https://docs.scute.io/api-reference/webauthn/finalize-webauthn-registration.md): Finalize a WebAuthn registration ceremony by verifying the credential response from the browser. Returns session tokens upon successful verification. Use the SDK instead of calling this manually.
- [Initialize WebAuthn login](https://docs.scute.io/api-reference/webauthn/initialize-webauthn-login.md): Initialize a WebAuthn authentication ceremony. This endpoint returns the challenge options for the browser's WebAuthn API. Use the SDK instead of calling this manually.
- [Initialize WebAuthn registration](https://docs.scute.io/api-reference/webauthn/initialize-webauthn-registration.md): Initialize a WebAuthn registration ceremony. This endpoint creates a new user (if they don't exist) and returns the challenge options for the browser's WebAuthn API. Use the SDK instead of calling this manually.
- [Register new WebAuthn device](https://docs.scute.io/api-reference/webauthn/register-new-webauthn-device.md): Initiate registration of a new WebAuthn device (passkey) for the authenticated user. Returns credential creation options. Use the SDK instead of calling this manually. Requires a valid access token.
- [Revoke WebAuthn device](https://docs.scute.io/api-reference/webauthn/revoke-webauthn-device.md): Revoke a WebAuthn device (credential) by ID. Note: This endpoint is not used in the JS SDK. Use session revocation instead as sessions include device information. Requires a valid access token.
- [Create webhook endpoint](https://docs.scute.io/api-reference/webhooks/create-webhook-endpoint.md): Create a new webhook endpoint for an application
- [Delete webhook endpoint](https://docs.scute.io/api-reference/webhooks/delete-webhook-endpoint.md): Delete a webhook endpoint
- [Get webhook deliveries](https://docs.scute.io/api-reference/webhooks/get-webhook-deliveries.md): Get delivery history for a webhook endpoint
- [Get webhook endpoint](https://docs.scute.io/api-reference/webhooks/get-webhook-endpoint.md): Get details of a specific webhook endpoint
- [List webhook endpoints](https://docs.scute.io/api-reference/webhooks/list-webhook-endpoints.md): Get all webhook endpoints for an application
- [Test webhook endpoint](https://docs.scute.io/api-reference/webhooks/test-webhook-endpoint.md): Send a test webhook to verify endpoint configuration
- [Update webhook endpoint](https://docs.scute.io/api-reference/webhooks/update-webhook-endpoint.md): Update an existing webhook endpoint
- [List workspace apps](https://docs.scute.io/api-reference/workspace-apps/list-workspace-apps.md): Get all apps for a specific workspace
- [Create workspace membership](https://docs.scute.io/api-reference/workspace-memberships/create-workspace-membership.md): Invite a member to the workspace. If user doesn't exist, they will be created. Requires admin role.
- [Delete workspace membership](https://docs.scute.io/api-reference/workspace-memberships/delete-workspace-membership.md): Remove a member from the workspace. Requires admin role. Cannot remove yourself as owner.
- [List workspace memberships](https://docs.scute.io/api-reference/workspace-memberships/list-workspace-memberships.md): Get all members of a workspace
- [Update workspace membership](https://docs.scute.io/api-reference/workspace-memberships/update-workspace-membership.md): Update a member's role in the workspace. Requires admin role. Cannot demote yourself as owner.
- [Create workspace session](https://docs.scute.io/api-reference/workspace-sessions/create-workspace-session.md): Create a user session from any app within a workspace using workspace API key
- [Create workspace](https://docs.scute.io/api-reference/workspaces/create-workspace.md): Create a new workspace. The authenticated user becomes the owner.
- [List workspaces](https://docs.scute.io/api-reference/workspaces/list-workspaces.md): Get all workspaces the authenticated user is a member of
- [Show workspace](https://docs.scute.io/api-reference/workspaces/show-workspace.md): Get workspace details by ID or slug
- [Update workspace](https://docs.scute.io/api-reference/workspaces/update-workspace.md): Update workspace details. Requires member access.
- [April 2026](https://docs.scute.io/changelogs/april-2026.md): Intent verification, risk scoring, entitlements, verification SDK, child workspaces
- [March 2026](https://docs.scute.io/changelogs/march-2026.md): MFA everywhere, email OTP, fuzzy search
- [Auth UI](https://docs.scute.io/guides/auth-ui.md): Drop-in auth for React apps
- [Authentication Methods](https://docs.scute.io/guides/authentication-methods.md)
- [Child Workspaces](https://docs.scute.io/guides/child-workspaces.md): Multi-tenant verification with isolated branding and credentials
- [Data migration through API](https://docs.scute.io/guides/data_migration_with_api.md)
- [Error Handling](https://docs.scute.io/guides/error-handling.md)
- [Scute Events](https://docs.scute.io/guides/events.md)
- [Intent Verification](https://docs.scute.io/guides/intent-verification.md): Verify user identity via email or SMS with workflow context
- [JWT](https://docs.scute.io/guides/jwt.md)
- [Metafields](https://docs.scute.io/guides/metafields.md)
- [oAuth](https://docs.scute.io/guides/oauth.md)
- [TypeScript Support](https://docs.scute.io/guides/typescript-support.md)
- [Verification SDK](https://docs.scute.io/guides/verification-sdk.md): Manage verifications from any app using @scute/js-core
- [Webhooks](https://docs.scute.io/guides/webhooks.md)
- [Workspace Sessions - Cross-App login solution](https://docs.scute.io/guides/workspace-sessions.md): Enable seamless user authentication between multiple apps in your workspace
- [Get started with Scute](https://docs.scute.io/index.md): Passwordless authentication for modern applications
- [Express.js](https://docs.scute.io/quickstarts/express-js.md)
- [Javascript](https://docs.scute.io/quickstarts/javascript.md)
- [Next.js](https://docs.scute.io/quickstarts/next-js.md)
- [React](https://docs.scute.io/quickstarts/react.md): Using the pre-built Scute UI with React
- [React Hooks](https://docs.scute.io/quickstarts/react-hooks.md): Using Scute's hooks for authentication in React
- [React Native / Expo](https://docs.scute.io/quickstarts/react-native.md)
- [React Router (Declarative)](https://docs.scute.io/quickstarts/react-router-declarative.md): Using Scute with React Router for declarative routing
- [Svelte](https://docs.scute.io/quickstarts/svelte.md): Using Scute with Svelte
- [Vue.js](https://docs.scute.io/quickstarts/vue-js.md)
- [Verification](https://docs.scute.io/verification/index.md): Verify users via email or SMS
- [OTP Verification](https://docs.scute.io/verification/otp-verification.md)
- [Email Verification](https://docs.scute.io/verification/self-serve.md): Verify email addresses with magic links
- [User Identifier Verification](https://docs.scute.io/verification/user-identifier-verification.md)
- [Tracking Verification Status](https://docs.scute.io/verification/verification-status.md)

## OpenAPI Specs

- [swagger](https://docs.scute.io/swagger.json)

## Optional

- [Dashboard](https://control.scute.io)
- [GitHub](https://github.com/scuteai)