> ## Documentation Index
> Fetch the complete documentation index at: https://docs.sensorup.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Auth Subgraph Reference

> Technical reference for the su-auth subgraph providing authentication and authorization.

# Auth Subgraph Reference

The `su-auth` subgraph provides authentication, authorization, and session management capabilities.

## Subgraph Information

* **Name**: `su-auth`
* **Routing URL**: `https://xu558bs6wi.execute-api.us-west-2.amazonaws.com/poc/graphql`
* **Last Updated**: 2025-08-15
* **SDL**: [View Schema](../schemas/sdl/su-auth.graphql)

## Overview

This subgraph owns:

* User authentication (sign in/out)
* Session management
* Multi-factor authentication (MFA)
* API key generation
* AWS credentials provisioning
* Device management

## Root Query Fields

```graphql theme={null}
extend type Query {
  session: AuthSession
  credentials(group: String): AuthCredentials
  config: Config
  signWorkatoJwtToken(customerVendorOrigin: String): String
}
```

## Root Mutation Fields

```graphql theme={null}
extend type Mutation {
  signIn(input: AuthSignInInput!): AuthMutationResult!
  signOut: AuthMutationResult
  globalSignOut: AuthMutationResult
  forgotPassword(input: AuthForgotPasswordInput): AuthMutationResult
  forgotPasswordSubmit(input: AuthForgotPasswordSubmitInput): AuthMutationResult
  completeNewPassword(input: AuthCompleteNewPasswordInput): AuthMutationResult!
  federatedSignIn(input: AuthFederatedSignInInput!): AuthMutationResult
  confirmSignIn(input: AuthConfirmSignInInput): AuthConfirmSignInResult!
  setupTOTP: AuthTOTPMutationResult!
  verifyTOTPToken(input: AuthVerifyTOTPTokenInput): AuthMutationResult
  setSessionUserGroup(input: AuthSetSessionUserGroupInput): AuthMutationResult
  createAPIKey(input: AuthCreateAPIKeyInput!): AuthAPIKeyResult!
  reauthenticate(input: ReauthenticationInput!): AuthMutationResult!
  forgetDevices(input: AuthForgetSpecificDevicesInput): AuthMutationResult
  completeAuthChallenge(input: CompleteAuthChallengeInput!): CompleteAuthChallengeResult!
  generateSMSCode: AuthMutationResult
  verifySMSCode(input: AuthVerifySMSCodeInput): AuthMutationResult
}
```

## Core Types

### AuthSession

Current authentication session information.

```graphql theme={null}
type AuthSession @key(fields: "username") {
  username: ID!
  preferredMFA: AuthMFAType
  attributes: AuthAttributes
  challengeName: AuthChallengeType
  authenticated: Boolean!
  audit: Audit!
  expiresAt: DateTime!
  expiresAtHard: DateTime!
  userGroup: ID!
  publicReference: ID!
  lastAuthenticatedAt: DateTime
}
```

### AuthCredentials

Temporary AWS credentials for accessing AWS services.

```graphql theme={null}
type AuthCredentials {
  accessKeyId: String!
  secretAccessKey: String!
  sessionToken: String!
  expiration: DateTime!
}
```

### AuthDevice

Registered device information.

```graphql theme={null}
type AuthDevice {
  deviceKey: ID!
  name: String
  remembered: Boolean
  createdAt: DateTime
  modifiedAt: DateTime
  lastSignedInAt: DateTime
  lastIpAddress: String
}
```

## Entity Extensions

### User

Extends User type from su-user with device information.

```graphql theme={null}
type User @key(fields: "id") @extends {
  id: ID! @external
  devices: [AuthDevice!]
}
```

## Related Resources

* **[Authentication Guide](../authentication)** - Authentication workflows and examples
* **[Quickstart Guide](../quickstart)** - Getting started with auth
* **[Full SDL Schema](../schemas/sdl/su-auth.graphql)** - Complete type definitions
