#227 OpenAPI: Authentication & Authorization Endpoints (23 endpoints)

## Scope Document authentication and authorization endpoints: - `api/blueprints/v1/users.py` (7 endpoints) - `api/blueprints/v1/invitations.py` (6 endpoints) - `api/blueprints/v1/tokens.py` (5 endpoints) - `api/blueprints/v1/api_keys.py` (5 endpoints) ## Users Endpoints (7) 1. GET /users - List users 2. GET /users/me - Get current user 3. GET /users/{id} - Get user by ID 4. PUT /users/{id} - Update user 5. DELETE /users/{id} - Delete user 6. PUT /users/{id}/role - Update user role 7. POST /users/{id}/reset-password - Reset password ## Invitations Endpoints (6) 1. POST /invitations - Send invitation 2. GET /invitations - List invitations 3. GET /invitations/{id} - Get invitation 4. DELETE /invitations/{id} - Revoke invitation 5. POST /invitations/{id}/resend - Resend invitation 6. POST /invitations/accept - Accept invitation ## Tokens Endpoints (5) 1. POST /tokens - Create token 2. GET /tokens - List tokens 3. GET /tokens/{id} - Get token 4. DELETE /tokens/{id} - Revoke token 5. POST /tokens/refresh - Refresh token ## API Keys Endpoints (5) 1. POST /api-keys - Create API key 2. GET /api-keys - List API keys 3. GET /api-keys/{id} - Get API key 4. DELETE /api-keys/{id} - Revoke API key 5. PUT /api-keys/{id} - Update API key ## Security Schemes ```yaml securitySchemes: BearerAuth: type: http scheme: bearer bearerFormat: JWT ApiKeyAuth: type: apiKey in: header name: X-API-Key ``` ## Pydantic Models ```python class UserResponse(BaseModel): user_id: str email: str role: str tenant_id: str created_at: datetime class InvitationRequest(BaseModel): email: str role: str = 'viewer' class TokenCreateRequest(BaseModel): name: str expires_in_days: int = 30 permissions: list[str] = [] class ApiKeyCreateRequest(BaseModel): name: str expires_at: datetime | None = None rate_limit: int = 1000 ``` ## Depends On - #224 (Infrastructure Setup) ## Acceptance Criteria - [ ] All 23 endpoints documented - [ ] Security schemes defined - [ ] Role requirements noted