Tenant

The tenant resource exposes the caller's owning tenant — name, permission mode, created-at timestamp. Useful for confirming "which tenant does this token belong to" in CI scripts, for surfacing the tenant name in your own internal dashboards, and for renaming the tenant programmatically.

Singleton, no :id

A bearer token can only ever read or write its own tenant — by construction, an :id segment would be lying about the API surface. So this resource is GET /v1/tenant and PATCH /v1/tenant with no ID in the URL. (For the same reason, Tenant.id in the schema is a raw UUID, not a prefixed tnt_<...> ID — there's no per-row addressing path that would need it.)

PATCH is owner-only and currently rename-only

PATCH /v1/tenant is owner-only — admin and member tokens get a 403. Today the only mutable field is name (1-80 chars after trim). permission_mode (flat vs. role-based) is read-only through this generic PATCH: flipping a tenant's permission model is an irreversible RBAC posture change deserving its own dedicated endpoint in v2, so we surface a 400 if you try to set it here.

Notes

  • The schema deliberately enumerates only the public fields (id, name, permission_mode, created_at). Billing-related internal columns — Paddle customer IDs, subscription state, refund-eligibility flags, trajectory-alert markers — are not surfaced and will not appear if a future migration adds more.

Endpoints