Authium
Authium
Back to homeResources

API Reference

HTTP endpoints used by the Authium extension and website. All vault secrets remain encrypted client-side — APIs handle auth, billing, and ciphertext transport only.

Note: Authium does not expose a public REST API for reading decrypted TOTP secrets. Integrations operate on encrypted payloads. For enterprise SSO or SCIM, contact support@authium.app.

Base URL for Supabase services is your project URL (see documentation). Website routes are relative to authium.app.

POST

License validation

VALIDATE_LICENSE_URL (Supabase Edge Function)

Auth: Bearer session token or license key payload

Called by the extension after sign-in or when activating a device. Validates subscription tier, enforces device limits, and returns plan metadata used to unlock Pro/Team features.

Example request

{
  "deviceId": "uuid",
  "platform": "chrome",
  "browserVersion": "126.0"
}

Example response

{
  "plan": "pro",
  "expiresAt": "2026-07-01T00:00:00Z",
  "features": ["copilot", "sync", "themes"]
}
GET

Team vault — list shared entries

/functions/v1/team-vault?action=list

Auth: Bearer Supabase JWT (Team member)

Returns encrypted team vault entries the member is authorized to pull. Payloads remain ciphertext until decrypted locally with the Team Access Code.

Example request

Query: action=list

Example response

{
  "entries": [{ "id": "...", "ciphertext": "...", "updatedAt": "..." }],
  "auditVersion": 12
}
POST

Team vault — push entry

/functions/v1/team-vault

Auth: Bearer Supabase JWT (Team admin)

Admins publish or update a shared OTP entry. The server stores only encrypted blobs and records an audit event.

Example request

{
  "action": "push",
  "entryId": "optional-uuid",
  "ciphertext": "base64...",
  "labelHint": "encrypted-metadata"
}

Example response

{ "ok": true, "entryId": "...", "auditId": "..." }
POST

Team vault — pull updates

/functions/v1/team-vault

Auth: Bearer Supabase JWT (Team member)

Members fetch vault deltas since their last sync cursor. Used by the extension background worker during Team Vault sync.

Example request

{
  "action": "pull",
  "since": "2026-06-01T00:00:00Z"
}

Example response

{
  "entries": [...],
  "removed": ["entry-id"],
  "cursor": "2026-06-07T12:00:00Z"
}
PATCH

Profile appearance

/rest/v1/profiles?id=eq.{userId}

Auth: Bearer Supabase JWT

Updates theme_template and theme_mode on the user profile. Used by the extension to sync premium appearance preferences across devices.

Example request

{
  "theme_template": "midnight",
  "theme_mode": "dark"
}

Example response

Updated profile row (return=representation)
POST

PayPal checkout

/api/paypal/create-order

Auth: Bearer Supabase JWT (website)

Creates a PayPal subscription checkout session for Pro or Team plans. Returns a redirect URL consumed by the pricing page.

Example request

{ "plan": "pro" }

Example response

{ "checkoutUrl": "https://..." }