Mint a graduation handoff token for an existing LIMITED user
SDK consumers surface a `<CuraeUpgradeCard>` whenever the current user is in the `LIMITED` lifecycle state; a tap on the upgrade CTA proxies to this route via the consumer backend. The platform mints a fresh server-signed `GRADUATION_HANDOFF` JWT that pins the LIMITED `User.id` and returns the Curae-hosted `/graduate?handoff=<token>` webview URL the SDK navigates the user to. The credential-binding ceremony (passkey, magic link, password) runs inside that webview. Idempotency-Key is REJECTED because every call MUST mint a fresh short-lived JWT — replays would return a stale token whose TTL may have elapsed. Rate-limited at 10 req / customer-account / appUserId / minute (same cap as `/initiate`) to close the LIMITED-binding enumeration side channel.
/api/sdk/v1/curae-connect/graduation-handoffSDK consumers surface a <CuraeUpgradeCard> whenever the current user is in the LIMITED lifecycle state; a tap on the upgrade CTA proxies to this route via the consumer backend. The platform mints a fresh server-signed GRADUATION_HANDOFF JWT that pins the LIMITED User.id and returns the Curae-hosted /graduate?handoff=<token> webview URL the SDK navigates the user to. The credential-binding ceremony (passkey, magic link, password) runs inside that webview. Idempotency-Key is REJECTED because every call MUST mint a fresh short-lived JWT — replays would return a stale token whose TTL may have elapsed. Rate-limited at 10 req / customer-account / appUserId / minute (same cap as /initiate) to close the LIMITED-binding enumeration side channel.
Authorization
platformApiKey CuraeAI Platform API key using the format Bearer . Keys are opaque credentials such as cae_live_..., not JWTs.
In: header
Request Body
application/json
TypeScript Definitions
Use the request body type in TypeScript.
Response Body
application/json
application/problem+json
application/problem+json
application/problem+json
curl -X POST "https://example.com/api/sdk/v1/curae-connect/graduation-handoff" \ -H "Content-Type: application/json" \ -d '{ "appUserId": "string" }'{ "handoffUrl": "http://example.com", "handoffToken": "string", "handoffTokenExpiresAt": "2019-08-24T14:15:22Z", "subjectUserId": "296d2d93-03fc-4d0e-b7e7-4f7600664125"}{ "type": "string", "title": "string", "status": 0, "detail": "string", "instance": "string", "code": "string", "details": {}, "retryable": true}{ "type": "string", "title": "string", "status": 0, "detail": "string", "instance": "string", "code": "string", "details": {}, "retryable": true}{ "type": "string", "title": "string", "status": 0, "detail": "string", "instance": "string", "code": "string", "details": {}, "retryable": true}Initiate a Curae Connect entry-flow session (Path A / B / C selection) POST
Mints a fresh CuraeConnectSession for the SDK app's (customerAccountId, appUserId) coordinate. Path selection is deterministic from the bound `LimitedAccountAppBinding`: existing-ACTIVE → Path A (`EXISTING_ACTIVE_HANDOFF`, handoff lands in-tx), no-binding + `preferSignup: true` → Path B (`NEW_ACTIVE_SIGNUP_HANDOFF`, requires `completeHandoff`), else → Path C (`SILENT_LIMITED`, reuses or provisions a LIMITED user). The route requires `connection:write` scope and an `Idempotency-Key` (retries replay the original response verbatim). Rate-limited at 10 req / customer-account / appUserId / minute on top of the standard Platform API buckets.
Resolve the lifecycle state of an SDK app-user coordinate (read-only) GET
Read-only probe used by the SDK's `<CuraeAIAccountProvider>` to decide which onboarding / lifecycle UI to render for the current user. Resolves `(customerAccountId, appUserId)` to one of `UNLINKED`, `LIMITED`, `ACTIVE`, or `TOMBSTONED` without minting a `CuraeConnectSession` row, provisioning a LIMITED user, emitting any outbox event, or counting against the per-coordinate `/initiate` rate-limit bucket. Supports RFC 7232 conditional GET — pass the previously-received ETag in `If-None-Match` to receive a `304 Not Modified` when the state has not moved. Designed for high-frequency polling (every page mount, every browser tab visibility-change).