POST /v1/app-gateway/{appId}/session
Mints a per-user app token for the signed-in viewer opening a login-required deep-agent artifact. Authed as the b3 user; the viewer's id + active org come from the auth context, not the body. The server resolves the artifact's org from the :appId (deep-agent run id), verifies the workflow is in it and the viewer is acting within it, then signs a token carrying the viewer's id.

Path Parameters

appId string required path
Deep-agent run id (app id)

Request Body required

Viewer token mint params

application/json
One of:
Option 1
Option 2
workflowId string

Responses

200 OK
application/json
exp string
token string
401 Unauthorized
403 Forbidden
404 Not Found
curl -X POST 'https://api.example.com/v1/app-gateway/string/session' \  -H 'Authorization: Bearer YOUR_API_TOKEN' \  -H 'Content-Type: application/json' \  -d '{}'
const response = await fetch('https://api.example.com/v1/app-gateway/string/session', {  method: 'POST',  headers: {      "Authorization": "Bearer YOUR_API_TOKEN",      "Content-Type": "application/json"  },  body: JSON.stringify({})});const data = await response.json();console.log(data);
import requestsheaders = {    'Authorization': 'Bearer YOUR_API_TOKEN'}response = requests.post('https://api.example.com/v1/app-gateway/string/session', headers=headers, json={})print(response.json())
package mainimport (	"fmt"	"io"	"net/http"	"strings")func main() {	body := strings.NewReader(`{}`)	req, _ := http.NewRequest("POST", "https://api.example.com/v1/app-gateway/string/session", body)	req.Header.Set("Authorization", "Bearer YOUR_API_TOKEN")	req.Header.Set("Content-Type", "application/json")	resp, _ := http.DefaultClient.Do(req)	defer resp.Body.Close()	result, _ := io.ReadAll(resp.Body)	fmt.Println(string(result))}
200 Response
{  "exp": "<string>",  "token": "<string>"}