Resolved-caller identity + cross-org membership list

GET

/me/session

const url = 'https://your-org.evershell.ai/v1/me/session';
const options = {method: 'GET', headers: {Authorization: 'Bearer <token>'}};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}

curl --request GET \
  --url https://your-org.evershell.ai/v1/me/session \
  --header 'Authorization: Bearer <token>'

Permissions: any signed-in caller.

Returns the WorkOS-authenticated identity for the bearer token, including the caller’s role, permission scopes, and the list of other organizations they belong to.

Authorizations

bearerAuth

Responses

200

application/json

Resolved-caller identity. Two field groups carry the operator-visible “who am I” label, mutually exclusive depending on how the caller authenticated:

User-session callers (browser / SSO): email + role.
API-key callers (evershell login + CI): api_key_label + api_key_permission_set, lifted from the local api_keys mirror row. user_id is the fixed system sentinel and email / role are empty.

object

user_id

required

string

org_id

required

string

email

Populated for user-session callers, empty for API-key callers.

string format: email

role

Populated for user-session callers, empty for API-key callers.

string

Allowed values: owner operator member

permissions

required

Array<string>

memberships

required

Array<object>

object

required

string

org_id

required

string

org_name

required

string

org_slug

required

string

role

required

string

Allowed values: owner operator member

billing_status

required

string

Allowed values: trial active past_due decommissioning churned

decommission_at

Set once an Owner has scheduled the org for decommission; the console reads it to render the wind-down banner deadline.

string format: date-time

trial_ends_at

string format: date-time

accepted_at

Null while the membership is still pending invitation acceptance.

string format: date-time

api_key_label

Operator-visible label set on the API key at creation time. Populated for API-key callers only; absent for user-session callers.

string

api_key_permission_set

Closed-enum permission template the operator picked at create time. Populated for API-key callers only. Documentary — the actual auth gating reads permissions.

string

Allowed values: full_access submit_observe read_only

Example

{
  "user_id": "usr_01HX",
  "org_id": "org_acme",
  "role": "owner",
  "permissions": [
    "workspace:read",
    "workspace:write",
    "tasks:write:own",
    "audit:read"
  ],
  "memberships": [
    {
      "role": "owner",
      "billing_status": "trial"
    }
  ],
  "api_key_label": "ci-deploy",
  "api_key_permission_set": "full_access"
}

401

Missing or invalid credential

application/json

object

error

required

object

code

required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string

message

required

Human-readable summary

string

request_id

required

Server-generated request id for correlating logs

string

details

Optional structured context. Validation errors land at details.fields as a per-field map.

object

key

additional properties

any

Example

{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}