> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flexslot.gg/llms.txt
> Use this file to discover all available pages before exploring further.

# User PAT probe

> Returns the calling user's principal id, scopes, rate-limit tier, and a human-readable identity (`user.id` / `username`). `user.id` is the bare Firebase id and matches the `author.id` on that user's public decks; `user.username` is the handle shown on the consent screen the user approved. This doubles as the userinfo endpoint for OAuth2 Bearer callers — no extra scope is required. Email is intentionally NOT returned: it is not consistently shown to the user before consent (the screen shows username, falling back to email only when username is empty, and the skip-consent re-authorization path shows neither), so exposing it to every bearer caller would leak PII a `decks:read`-only partner never had the user approve.



## OpenAPI

````yaml /openapi.json get /api/public/v1/_probe/user
openapi: 3.0.3
info:
  title: Flexslot API
  version: 1.0.0
  description: API documentation for Flexslot decks application
servers:
  - url: https://api.flexslot.gg
    description: Production
  - url: https://api-dev.flexslot.gg
    description: Development
security: []
paths:
  /api/public/v1/_probe/user:
    get:
      tags:
        - Probes
      summary: User PAT probe
      description: >-
        Returns the calling user's principal id, scopes, rate-limit tier, and a
        human-readable identity (`user.id` / `username`). `user.id` is the bare
        Firebase id and matches the `author.id` on that user's public decks;
        `user.username` is the handle shown on the consent screen the user
        approved. This doubles as the userinfo endpoint for OAuth2 Bearer
        callers — no extra scope is required. Email is intentionally NOT
        returned: it is not consistently shown to the user before consent (the
        screen shows username, falling back to email only when username is
        empty, and the skip-consent re-authorization path shows neither), so
        exposing it to every bearer caller would leak PII a `decks:read`-only
        partner never had the user approve.
      operationId: _probe_user_retrieve
      responses:
        '200':
          content:
            application/json:
              schema:
                type: object
                required:
                  - caller
                  - user
                  - scopes
                  - tier
                properties:
                  caller:
                    type: string
                  user:
                    type: object
                    required:
                      - id
                      - username
                    properties:
                      id:
                        type: string
                      username:
                        type: string
                  scopes:
                    type: array
                    items:
                      type: string
                  tier:
                    type: string
          description: ''
      security:
        - PersonalAccessToken: []
        - OAuth2DPoP: []
          OAuth2DPoPProof: []
        - OAuth2Bearer: []
components:
  securitySchemes:
    PersonalAccessToken:
      type: http
      scheme: bearer
      bearerFormat: flx_pat_...
      description: 'User-issued personal access token (format: flx_pat_<token>).'
    OAuth2DPoP:
      type: http
      scheme: DPoP
      description: >-
        DPoP-bound OAuth2 access token (RFC 9449). Issued by the /oauth/token
        endpoint when the client is registered with
        dpop_bound_access_tokens=true. Each protected request must include a
        fresh DPoP proof JWT in the DPoP header. Token format: flx_at_<token>.
    OAuth2DPoPProof:
      type: apiKey
      in: header
      name: DPoP
      description: >-
        RFC 9449 DPoP proof JWT. Required on every request that presents
        Authorization: DPoP <access_token>. Must carry fresh iat, jti, htm
        matching the request method, htu matching the request URL, and ath
        matching SHA-256 of the access token.
    OAuth2Bearer:
      type: http
      scheme: bearer
      bearerFormat: flx_at_...
      description: >-
        OAuth2 access token issued via the authorization-code + PKCE flow
        (format: flx_at_<token>). Grants the partner user-scoped access to act
        on behalf of the consenting end-user.

````