Current user from access token
GET /auth/me
Returns JWT claim fields plus authoritative companyMemberships and businessUnitMemberships from Auth Postgres (same shapes as GET /internal/users/{id}/context).
Authorizations
Section titled “Authorizations ”Responses
Section titled “ Responses ”User claims snapshot and membership rows
object
object
User id
object
Tenant IAM role (e.g. MANAGER company-wide; FINANCE; SUBMITTER). Distinct from BU role on businessUnitMemberships.
Optional per-user-per-company approval limit (decimal string; migrated from Finance)
Echoed from metadata.invoiceViewScope when set (OWN | BU | COMPANY). Company-level when user has no BU rows or as default; see README_AUTH_API.md §5.2a.
Echoed from metadata.canEditOthersScope when set.
Echoed from metadata.canEditOthersInvoices when set (legacy boolean).
Optional JSON object. Recommended keys for Finance invoice/bill visibility and editing others’ drafts — see README_AUTH_API.md (invoice scope metadata). Omitted on upsert leaves existing metadata unchanged. invoiceViewScope / canEditOthersScope / canEditOthersInvoices are also returned as top-level fields when present.
object
BU IAM — APPROVER (manager), SUBMITTER, or BU ADMIN; combine with invoiceViewScope for bills.
Echoed from metadata when set (per-BU invoice list scope).
Optional JSON object. For SUBMITTER (and product-defined cases), use invoice scope keys per README_AUTH_API.md. Finance migration may set invoiceViewScope and canEditOthersInvoices (boolean). Scope keys are also echoed as top-level fields when present.
Missing/invalid token or credentials
object
object
Example
validation_error