{
    "service": "id.collekton.com",
    "version": "2.3.1",
    "description": "Collekton Identity Provider",
    "endpoints": {
        "POST /auth/register": "Register new user (returns 2FA setup info)",
        "POST /auth/login": "Authenticate user",
        "POST /auth/refresh": "Refresh access token",
        "POST /auth/logout": "Invalidate refresh token and SSO session",
        "POST /auth/verify-2fa": "Verify 2FA code during login",
        "POST /auth/complete-2fa-setup": "Complete 2FA setup during login",
        "POST /auth/sso-exchange": "Exchange one-time SSO token for JWT",
        "GET /auth/check": "Silent SSO session check (redirect flow)",
        "POST /auth/logout-all": "Logout from all devices/sessions",
        "GET /api/mfa/status": "Get 2FA status (requires JWT)",
        "POST /api/mfa/setup": "Begin 2FA setup (requires JWT)",
        "POST /api/mfa/verify-setup": "Complete 2FA setup (requires JWT)",
        "POST /api/mfa/disable": "Disable 2FA (requires JWT)",
        "POST /api/mfa/regenerate-backup-codes": "Regenerate backup codes (requires JWT)",
        "GET /api/domains/check": "Check subdomain availability (public)",
        "GET /api/domains/suggestions": "Get subdomain suggestions (public)",
        "GET /api/domains/mine": "Get user reservations (requires JWT)",
        "POST /api/domains/reserve": "Reserve a subdomain (requires JWT)",
        "DELETE /api/domains/{subdomain}": "Release a reservation (requires JWT)",
        "POST /api/users/invite": "Invite user: find-or-create + assign to app (requires superuser JWT)",
        "GET /api/users/check": "Check if user exists by email (requires JWT)",
        "POST /api/users/assign": "Assign user to app (requires superuser JWT)",
        "GET /api/modules/catalog": "Public module catalog with domains and pricing (no auth, ?account_type=gallery)",
        "GET /api/configs/{id}/modules": "Module catalog with live subscription state (requires JWT)",
        "POST /api/configs/{id}/modules": "Activate module (requires JWT)",
        "DELETE /api/configs/{id}/modules/{module_id}": "Cancel module (requires JWT)",
        "GET /api/configs/{id}/features": "List features for app config (requires JWT)",
        "POST /api/configs/{id}/features": "Register feature (requires JWT)",
        "DELETE /api/configs/{id}/features/{feature_id}": "Cancel feature (requires JWT)",
        "POST /api/configs/{id}/core-tier": "Set core tier (requires JWT)",
        "GET /api/configs/{id}/usage": "Usage payload for fin.c (requires JWT)",
        "POST /api/application/provision": "Provision new application (claim/create account + config + infra, requires JWT)",
        "GET /api/usage/{account_id}": "Account-level usage aggregation (for fin.c)",
        "GET /api/usage/config/{config_id}": "TEMP open config usage \u2014 no auth (remove after debugging)",
        "POST /internal/shadow/upsert": "Internal: upsert shadow principal by email (API key + optional X-Host allowlist)",
        "GET /health": "Health check",
        "GET /.well-known/jwks.json": "Public keys for JWT verification"
    }
}