Invite API
The Invite API issues and validates invite codes for waitlisted emails. Codes are single-use, 32-byte random tokens stored as SHA-256 hashes. The plaintext code is returned exactly once at creation — it cannot be retrieved again.
POST /api/invites
Issues an invite code for a waitlisted email. Admin-only — requires M2M or legacy platform auth via the X-Platform-Token header.
Request
POST /api/invites
X-Platform-Token: <token>
Content-Type: application/json
{
"email": "user@example.com"
}Response — 200
{
"ok": true,
"code": "<64-char hex plaintext>",
"email": "user@example.com",
"expires_at": "2026-03-25T09:00:00.000Z"
}Error responses
| Status | Error | Cause |
|---|---|---|
| 400 | email is required | Missing or invalid email field |
| 401 | Unauthorized | Missing or invalid platform auth token |
| 404 | Email not found on waitlist | Email hasn't joined the waitlist |
| 500 | Failed to create invite code | Database error |
Code behaviour
- Codes are normalized to uppercase before hashing — the plaintext can be entered in any case
- Codes expire after 7 days from issuance
- Each code is single-use — consuming it marks it as redeemed in the database
- The SHA-256 hash is stored, never the plaintext — if you lose the code, issue a new one
Validation
Code validation happens at the /invite sign-up page. The frontend calls the validation endpoint internally — this endpoint is not part of the public API surface. Codes are validated by:
- Trim and uppercase the submitted code
- SHA-256 hash it
- Look up the hash in
invite_codes - Check it hasn't been redeemed and hasn't expired
- Mark as redeemed and continue sign-up
See also
- Invite & Sign Up — the user-facing invite flow
- Invite Gate — the security model around invite-only access