Authentication uses Bearer token OAuth2 with a 3600 second TTL and 30-day refresh.
Rate limit is 500 requests per minute globally. When rate limited, return 429 with Retry-After header.
Admin tokens can access all organizations. User tokens can only access their own organization.
All API requests must include the Authorization header with a valid bearer token.
Tokens are issued by the /auth/token endpoint using client credentials or authorization code flow.
Refresh tokens can be used once and are invalidated after use. A new refresh token is issued with each access token.

The users endpoint at POST /users creates a new user. Required fields are name, email, and role.
Email must be unique per organization. Roles are admin, member, or viewer. Default role is member.
GET /users returns a paginated list with cursor-based pagination. Default limit is 25, max is 100.
GET /users/:id returns a single user or 404 if not found. Includes last_login and created_at.
PATCH /users/:id does a partial update with merge semantics. Cannot change email without verification.
DELETE /users/:id soft-deletes by setting status to archived. Archived users cannot log in.
If the user is already archived, return 410 Gone.