API Reference: Gate Identity & Access

All Gate Identity endpoints are served from https://api.vernesoft.com.

This API is divided into two logical parts:

Identity Management: Tenant-scoped proxy to Kratos Admin API for managing end-users.
Access & Authorization: Core services for token exchange and permission checks.

Identity Management

Tenant API keys can only call operations scoped to their own tenant. The Edge Gateway ensures that tenants cannot access or modify identities belonging to other tenants.

Endpoint	Methods	Allowed
`/v1/gate/identities`	`POST`	Yes
`/v1/gate/identities/{identity_id}`	`GET`, `PATCH`, `DELETE`	Yes (only if the identity belongs to the calling tenant)
`/v1/gate/*` (everything else)	any	No (rejected by gateway policy)

Create Identity

POST /v1/gate/identities

Creates a new Kratos identity (end-user) bound to your tenant.

Request body

Send a JSON payload compatible with Kratos POST /admin/identities.

schema_id: Must be user.
traits.email: Required.
traits.custom_data: Optional object for your custom user fields.

Security Note: Edge Gateway will automatically inject and enforce the traits.tenant_id based on the calling API key.

{
  "schema_id": "user",
  "traits": {
    "email": "user@example.com",
    "custom_data": {
      "role": "editor",
      "age": 28
    }
  },
  "credentials": {
    "password": {
      "config": {
        "password": "StrongPassword123!"
      }
    }
  },
  "state": "active"
}

Response (`201 Created`)

{
  "id": "identity_123",
  "schema_id": "user",
  "state": "active",
  "traits": {
    "email": "user@example.com",
    "tenant_id": "ten_001",
    "custom_data": {
      "role": "editor",
      "age": 28
    }
  }
}

Example request

curl -X POST https://api.vernesoft.com/v1/gate/identities \
  -H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...' \
  -H 'Content-Type: application/json' \
  -d '{
    "schema_id": "user",
    "traits": {
      "email": "user@example.com",
      "custom_data": { "role": "editor" }
    },
    "credentials": {
      "password": { "config": { "password": "StrongPassword123!" } }
    },
    "state": "active"
  }'

Get Identity

GET /v1/gate/identities/{identity_id}

Returns the identity. The Gateway will reject the request if the identity's tenant_id does not match the caller's tenant.

curl -X GET https://api.vernesoft.com/v1/gate/identities/identity_123 \
  -H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...'

Patch Identity

PATCH /v1/gate/identities/{identity_id}

Updates the identity. The payload is forwarded to the Kratos Admin API and must follow the JSON Patch standard (RFC 6902).

Example request

curl -X PATCH https://api.vernesoft.com/v1/gate/identities/identity_123 \
  -H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...' \
  -H 'Content-Type: application/json' \
  -d '[
    {
      "op": "replace",
      "path": "/traits/custom_data/role",
      "value": "admin"
    }
  ]'

Delete Identity

DELETE /v1/gate/identities/{identity_id}

Deletes the identity from Kratos.

curl -X DELETE https://api.vernesoft.com/v1/gate/identities/identity_123 \
  -H 'Authorization: Bearer vrn_gate_live_sk_9f8a7...'

Include the request_id when contacting support for faster resolution.