Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Authentication

All API endpoints except health checks require authentication. Quint supports two authentication methods: Deploy Tokens and Supabase JWTs.

Deploy Tokens (qt_deploy_ prefix)

Deploy tokens are generated for fleet enrollment — used by the Quint daemon to authenticate when pushing events and session data to the cloud API. They are one-time display tokens; the raw value cannot be retrieved after creation. Tokens are SHA-256 hashed before database storage. 
curl https://api.quintai.dev/v1/events \
  -H "Authorization: Bearer qt_deploy_9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c"

Token Management

# Create a deploy token
curl -X POST https://api.quintai.dev/v1/deploy-tokens \
  -H "Authorization: Bearer YOUR_SUPABASE_JWT" \
  -H "Content-Type: application/json" \
  -d '{"name": "production-fleet-01"}'

# List deploy tokens
curl https://api.quintai.dev/v1/deploy-tokens \
  -H "Authorization: Bearer YOUR_SUPABASE_JWT"

Supabase JWT

Dashboard users authenticate via Supabase. The JWT can also be used directly against the API for management operations like creating deploy tokens or managing the tenant/org. JWTs are verified using ES256 JWKS (primary) with HS256 fallback. 
curl https://api.quintai.dev/v1/sessions \
  -H "Authorization: Bearer eyJhbGciOiJFUzI1NiIs..."

Rate Limits

Ingestion endpoints (POST /v1/events/ingest and POST /v1/sessions/ingest) are rate-limited per organization. When rate limited, the API returns 429 Too Many Requests.

Error Responses

{
  "error": "Authorization header required"
}
Status: 401 Unauthorized

Unauthenticated Endpoints

These endpoints do not require authentication:
  • GET /health — Liveness check
  • GET /ready — Readiness check