IM
EN
Docs Home
Menu
Guides

Auth Backend Admin Flow

Use the private backend client to authenticate with `auth.inbox-manager.com` and run privileged user/account/membership operations.

inbox-manager client-flow

Auth Backend Admin Flow

Purpose: use the private backend client to authenticate to auth.inbox-manager.com and run privileged user/account/membership operations.

Boundary note:

  • This guide targets auth.inbox-manager.com and api.inbox-manager.com.
  • These endpoints are outside api.inbox-manager.com OpenAPI.

Audience Rule

  • This client is for calling api.inbox-manager.com / auth.inbox-manager.com APIs.
  • Token audience should be https://api.inbox-manager.com.
  • Public app client remains separate with audience https://api.inbox-manager.com.

UI Flow

  1. No browser usage.
  2. Backend service mints M2M token via client credentials.
  3. Backend executes user/account/member admin APIs.
  4. Backend records outcomes in internal job/log system.

Client Library Flow

const auth = new OAuthClient({
  tokenUrl: "https://auth.inbox-manager.com/oauth2/token",
  clientId: process.env.AUTH_BACKEND_ADMIN_CLIENT_ID!,
  clientSecret: process.env.AUTH_BACKEND_ADMIN_CLIENT_SECRET!,
});

const token = await auth.clientCredentials({
  audience: "https://api.inbox-manager.com",
});

const authApi = new InboxManagerAdminClient({
  baseUrl: "https://api.inbox-manager.com",
  bearerToken: token.access_token,
});

const user = await authApi.createApplicationUser(appId, { status: "active" });
const account = await authApi.createChildAccount(parentAccountId, {
  name: "ops-provisioned",
});
const membership = await authApi.addAccountMember(
  account.id,
  user.id,
  "viewer",
);

HTTP/curl Flow

curl -sS -X POST "https://auth.inbox-manager.com/oauth2/token" \
  -H "content-type: application/json" \
  --data "{
    \"grant_type\": \"client_credentials\",
    \"client_id\": \"${AUTH_BACKEND_ADMIN_CLIENT_ID}\",
    \"client_secret\": \"${AUTH_BACKEND_ADMIN_CLIENT_SECRET}\",
    \"audience\": \"https://api.inbox-manager.com\"
  }"

Then call:

  • POST /api/applications/:application_id/users
  • POST /api/accounts/:account_id/accounts
  • POST /api/accounts/:account_id/members
  • PATCH /api/accounts/:account_id/members/:member_id
  • DELETE /api/accounts/:account_id/members/:member_id
  • PATCH /api/accounts/:account_id
  • DELETE /api/accounts/:account_id
  • DELETE /api/users/:user_id

Validation Script

  • scripts/auth_backend_admin_flow.sh
Previous
Auth And Token Bootstrap

Acquire bearer tokens and validate auth endpoint behavior before calling Inbox Manager APIs.

Next
Client Flow Map

Define the expected top-level integration sequence for clients using `api.inbox-manager.com`.