Skip to main content

Documentation Index

Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

All endpoints require authentication via Supabase JWT in the Authorization: Bearer <token> header. Org context is resolved from the JWT’s user membership.

Team Management

Invite Member

email
string
required
Email address of the user to invite.
role
string
required
Role to assign. One of: owner, admin, analyst, viewer. Cannot exceed your own role level.
curl -X POST https://api.quintai.dev/v1/team \
  -H "Authorization: Bearer $QUINT_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "analyst@company.com",
    "role": "analyst"
  }'
id
string
Membership ID.
status
string
Either pending (invite sent, not yet claimed) or active (user has logged in and claimed the invite).

List Members

Returns all members of your organization, including pending invites. 
curl -X GET https://api.quintai.dev/v1/team \
  -H "Authorization: Bearer $QUINT_JWT"

Update Member Role

id
string
required
Membership ID of the member to update.
role
string
required
New role. Cannot exceed your own role level.
curl -X PUT https://api.quintai.dev/v1/team/mem_def456 \
  -H "Authorization: Bearer $QUINT_JWT" \
  -H "Content-Type: application/json" \
  -d '{"role": "admin"}'
You cannot downgrade the last owner. The API returns 409 Conflict if this would leave the org with no owners.

Remove Member

id
string
required
Membership ID to remove.
curl -X DELETE https://api.quintai.dev/v1/team/mem_def456 \
  -H "Authorization: Bearer $QUINT_JWT"
Removing a member also revokes all their personal tokens. Service and deploy tokens are unaffected.

Token Operations

Create Token

name
string
required
Human-readable label for the token.
kind
string
required
Token type: personal, service, or deploy.
scopes
string[]
required
Array of scopes: read, ingest, manage, admin, *.
curl -X POST https://api.quintai.dev/v1/tokens \
  -H "Authorization: Bearer $QUINT_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "CI Read-Only",
    "kind": "service",
    "scopes": ["read"]
  }'
The token field is returned only in this response. Store it securely — it cannot be retrieved again.

List Tokens

Returns all tokens for your organization. Raw token values are never included. 
curl -X GET https://api.quintai.dev/v1/tokens \
  -H "Authorization: Bearer $QUINT_JWT"

Revoke Token

id
string
required
Token ID to revoke.
curl -X DELETE https://api.quintai.dev/v1/tokens/tok_abc123 \
  -H "Authorization: Bearer $QUINT_JWT"
Revocation is immediate. Any request using this token after revocation returns 401 Unauthorized.

User Preferences

Get Preferences

Returns the current user’s preferences for the organization. 
curl -X GET https://api.quintai.dev/v1/preferences \
  -H "Authorization: Bearer $QUINT_JWT"

Update Preferences

Performs a JSONB merge — only the fields you send are updated. Omitted fields retain their current values.
theme
string
dark or light.
default_time_range
string
Default time range for dashboards. One of: 1h, 6h, 24h, 7d, 30d.
default_view
string
Landing page after login. One of: overview, sessions, alerts, fleet.
notifications
object
Notification preferences object. Merged with existing values.
curl -X PUT https://api.quintai.dev/v1/preferences \
  -H "Authorization: Bearer $QUINT_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "theme": "light",
    "notifications": {
      "browser_push": true
    }
  }'
The merge is shallow for top-level keys but deep for the notifications object. Sending {"notifications": {"browser_push": true}} updates only browser_push without touching other notification settings.

Error Responses

All endpoints return consistent error shapes:
StatusCodeMeaning
400bad_requestInvalid input, missing required fields
401unauthorizedMissing or invalid authentication
403insufficient_permissionsValid auth but insufficient role level
404not_foundResource doesn’t exist in your org
409conflictOperation would violate a constraint (e.g., removing last owner)
429rate_limitedToo many requests, retry after Retry-After header
{
  "error": "insufficient_permissions",
  "message": "Admin role required for this action",
  "status": 403
}