Documentation

User Access

Check whether a Radiant Auth user is still allowed to use first-party apps.

POST/api/internal/user-access

Warning
First-party only. Authenticate with Authorization: Bearer <INTERNAL_API_SECRET>. Never call this from the browser.

Purpose

JWT access tokens cannot be denylisted after issue. First-party apps (such as the Store) should call this on each session check so bans and revoked OAuth grants take effect immediately.

Tip
Pair this with local session cookies: verify the JWT (or opaque token), then confirm allowed: true before serving protected pages.

Request

FieldDescription
userIdRadiant Auth user id (sub)
authUserIdAlias for userId

Response

FieldDescription
allowedtrue when the user is not banned and still has an active OAuth grant
bannedWhether the user is currently banned
banReasonBan reason string, or null
hasActiveGrantWhether a non-revoked refresh or access token grant still exists
  • 200 — status payload
  • 400userId missing
  • 401 — invalid or missing internal secret
  • 404user_not_found with allowed: false
user-access.json
{
  "allowed": true,
  "banned": false,
  "banReason": null,
  "hasActiveGrant": true
}

Example

user-access.sh
curl -X POST "https://auth.rdnt.live/api/internal/user-access" \
  -H "Authorization: Bearer INTERNAL_API_SECRET" \
  -H "Content-Type: application/json" \
  -d '{"userId":"AUTH_USER_ID"}'