Documentation
User Access
Check whether a Radiant Auth user is still allowed to use first-party apps.
POST/api/internal/user-access
Warning
First-party only. Authenticate with
Authorization: Bearer <INTERNAL_API_SECRET>. Never call this from the browser.Purpose
JWT access tokens cannot be denylisted after issue. First-party apps (such as the Store) should call this on each session check so bans and revoked OAuth grants take effect immediately.
Tip
Pair this with local session cookies: verify the JWT (or opaque token), then confirm
allowed: true before serving protected pages.Request
| Field | Description |
|---|---|
userId | Radiant Auth user id (sub) |
authUserId | Alias for userId |
Response
| Field | Description |
|---|---|
allowed | true when the user is not banned and still has an active OAuth grant |
banned | Whether the user is currently banned |
banReason | Ban reason string, or null |
hasActiveGrant | Whether a non-revoked refresh or access token grant still exists |
200— status payload400—userIdmissing401— invalid or missing internal secret404—user_not_foundwithallowed: false
user-access.json
{
"allowed": true,
"banned": false,
"banReason": null,
"hasActiveGrant": true
}Example
user-access.sh
curl -X POST "https://auth.rdnt.live/api/internal/user-access" \
-H "Authorization: Bearer INTERNAL_API_SECRET" \
-H "Content-Type: application/json" \
-d '{"userId":"AUTH_USER_ID"}'