Tofu Logo

api

Endpoint:https://chrome.hiretofu.com

POST
https://chrome.hiretofu.com
/api/core/auth/workos/callback/

Unified WorkOS callback — WorkOS is the source of truth.

Expected payload: { "code": "<authorization_code>" }

Three cases:

  1. User exists in both WorkOS and Django → login.
  2. User exists in WorkOS but not Django → provision immediately.
  3. User does not exist in WorkOS → code exchange fails, error returned.

Request Body

  • codestring · required

Responses

  • access_tokenstring · required
  • refresh_tokenstring · required
  • userobject · required

POST
https://chrome.hiretofu.com
/api/core/auth/google/login/

Handle Google OAuth2 login with authorization code. This endpoint is for users who already have accounts.

Expected payload: { "code": "authorization_code_from_google", "redirect_uri": "your_frontend_redirect_uri" }

Returns: { "access_token": "jwt_access_token", "refresh_token": "jwt_refresh_token", "user": { "id": user_id, "email": "[email protected]", "first_name": "John", "last_name": "Doe" } }

Request Body

  • codestring · required
  • redirect_uristring · required

Responses

  • access_tokenstring · required
  • refresh_tokenstring · required
  • userobject · required

POST
https://chrome.hiretofu.com
/api/core/auth/okta/login/

Handle Okta OAuth2 login with authorization code. This endpoint is for users who already have accounts.

Expected payload: { "code": "authorization_code_from_okta", "redirect_uri": "your_frontend_redirect_uri" }

Returns: { "access_token": "jwt_access_token", "refresh_token": "jwt_refresh_token", "user": { "id": user_id, "email": "[email protected]", "first_name": "John", "last_name": "Doe" } }

Request Body

  • codestring · required
  • redirect_uristring · required

Responses

  • access_tokenstring · required
  • refresh_tokenstring · required
  • userobject · required

POST
https://chrome.hiretofu.com
/api/token/

Takes a set of user credentials and returns an access and refresh JSON web token pair to prove the authentication of those credentials.

Request Body

  • emailstring · writeOnly · required
  • passwordstring · writeOnly · required
  • accessstring · readOnly · required
  • refreshstring · readOnly · required

Responses

  • emailstring · writeOnly · required
  • passwordstring · writeOnly · required
  • accessstring · readOnly · required
  • refreshstring · readOnly · required

POST
https://chrome.hiretofu.com
/api/core/auth/logout/

Log the current user out.

Two things make logout effective in this architecture:

  1. The webapp proxy clears the tofu-web cookie via its outbound policy, so the browser can no longer present the access token.
  2. The frontend redirects through workos_logout_url (when present) to terminate the WorkOS-side session — otherwise AuthKit would silently re-authenticate on the next /signin.

We deliberately do NOT iterate OutstandingToken and call .blacklist() on each one. The proxy strips refresh tokens from auth responses before they ever reach the client (see set-auth-cookie-outbound), so those rows are orphans — no device holds them, no one can present them to /api/token/refresh/. Blacklisting defends against a threat that doesn't exist here. If we ever start delivering refresh tokens to clients, revisit.

Response: { "message": "Successfully logged out", "workos_logout_url": "https://api.workos.com/.../logout?..." | null, "redirect_to": "/signin" | "/login" }

Responses

  • messagestring · required
  • redirect_tostring · required
  • workos_logout_urlstring | null
v1