> ## Documentation Index > Fetch the complete documentation index at: https://docs.neoagent.io/llms.txt > Use this file to discover all available pages before exploring further. # Mint an end-user session token > Mints a short-lived JWT bound to one chat `session_id`. The Teams relay (or any future end-user-facing channel) attaches it as `Authorization: Bearer ` on subsequent `/chat/sessions//*` calls. Only service-account or dashboard callers can mint; the resulting token cannot mint or revoke. A **platform** service account may pass `client_id` to mint for another tenant, but only when `session_id` is that tenant's Neo Support session (otherwise 403); any non-platform caller passing `client_id` is rejected with 403. When the session is scoped to an end-company (white-label sessions are, at create), the minted `end_company_id` claim is taken from the session itself — a caller-supplied value never widens or changes the session's scope. ## OpenAPI ````yaml https://api.neoagent.io/public-api/openapi.json post /public-api/sessions openapi: 3.1.0 info: description: >- Neo's public contract for the dashboard ChatAgent, partner integrations, and MSP automation. Every response is wrapped in a `{data, meta}` envelope; errors use `{error: {code, message, details?}, meta: {request_id}}`. Authenticate with a `Bearer neo_sk__` API key (service account) or a Microsoft Entra ID JWT (dashboard user). Signed-URL endpoints (end-user feedback links) take a `signature` query parameter instead. title: Neo Public API version: 1.0.0 servers: - url: https://api.neoagent.io security: [] tags: - description: Service metadata — health, OpenAPI. name: Meta - description: Agents and workflows — read, version history, delete, stats. name: Agents - description: Agent/workflow execution history, sub-resources, retry/cancel. name: Executions - description: PSA webhook events and their workflow-match results. name: Callbacks - description: Technician-in-the-loop approval requests. name: TIL requests - description: RMM script executions triggered by agents. name: RMM scripts - description: Dispatch-agent field-update decisions. name: Dispatch - description: The authenticated tenant. name: Tenant - description: Agent-builder schema catalogs (raw JSON payloads). name: Schemas - description: Escalate to the Neo team (HubSpot ticket). name: Escalation - description: Tenant settings. name: Settings - description: Tenant API-key management (dashboard JWT only). name: API keys - description: End-user feedback links (signed-URL auth). name: Feedback - description: End-client companies (CRUD + bulk-update). name: End companies - description: Channels — bind a CONVERSATIONAL agent to a transport (Teams). name: Channels - description: PSA/RMM/M365 integration status and connection management. name: Integrations - description: Technician roster (controls TIL routing and paging). name: Technicians - description: Future runs queued for TRIGGERED agents. name: Scheduled work - description: Subscription state and customer-facing credit usage (no provider $). name: Billing - description: Inbox messages and announcements. name: Inbox & Comms - description: Tenant-authored agent skills (CRUD) and the built-in skill catalog. name: Skills paths: /public-api/sessions: post: tags: - Chat summary: Mint an end-user session token description: >- Mints a short-lived JWT bound to one chat `session_id`. The Teams relay (or any future end-user-facing channel) attaches it as `Authorization: Bearer ` on subsequent `/chat/sessions//*` calls. Only service-account or dashboard callers can mint; the resulting token cannot mint or revoke. A **platform** service account may pass `client_id` to mint for another tenant, but only when `session_id` is that tenant's Neo Support session (otherwise 403); any non-platform caller passing `client_id` is rejected with 403. When the session is scoped to an end-company (white-label sessions are, at create), the minted `end_company_id` claim is taken from the session itself — a caller-supplied value never widens or changes the session's scope. operationId: public_api.session_token_mint_post parameters: [] requestBody: content: application/json: schema: $ref: '#/components/schemas/MintSessionTokenRequest' required: true responses: '200': content: application/json: schema: properties: data: $ref: '#/components/schemas/MintSessionTokenResponse' meta: $ref: '#/components/schemas/SuccessMeta' required: - data - meta type: object description: Success. '400': content: application/json: schema: $ref: '#/components/schemas/ErrorEnvelope' description: Bad request — malformed input. '401': content: application/json: schema: $ref: '#/components/schemas/ErrorEnvelope' description: Unauthenticated — missing or invalid credentials. '403': content: application/json: schema: $ref: '#/components/schemas/ErrorEnvelope' description: Forbidden — authenticated but not allowed. '404': content: application/json: schema: $ref: '#/components/schemas/ErrorEnvelope' description: Not found. '409': content: application/json: schema: $ref: '#/components/schemas/ErrorEnvelope' description: Conflict — the resource is in a state that blocks this operation. '422': content: application/json: schema: $ref: '#/components/schemas/ErrorEnvelope' description: Request validation failed. '429': content: application/json: schema: $ref: '#/components/schemas/ErrorEnvelope' description: Rate limited — see Retry-After. '500': content: application/json: schema: $ref: '#/components/schemas/ErrorEnvelope' description: Internal server error. security: - bearerAuth: [] components: schemas: MintSessionTokenRequest: properties: allowed_agent_ids: default: [] items: type: integer title: Allowed Agent Ids type: array client_id: anyOf: - type: string - type: 'null' default: null description: >- Target tenant to mint the token for. Honored only for a platform service account, and only when `session_id` is that tenant's Neo Support session (otherwise 403); any other caller passing it gets 403. Omit to mint for the caller's own tenant. title: Client Id end_company_id: anyOf: - type: string - type: 'null' default: null title: End Company Id end_user: anyOf: - type: string - type: 'null' default: null title: End User end_user_email: anyOf: - type: string - type: 'null' default: null title: End User Email session_id: title: Session Id type: string ttl_seconds: anyOf: - type: integer - type: 'null' default: null title: Ttl Seconds required: - session_id title: MintSessionTokenRequest type: object MintSessionTokenResponse: properties: expires_at: format: date-time title: Expires At type: string jti: title: Jti type: string session_id: title: Session Id type: string token: title: Token type: string required: - token - jti - session_id - expires_at title: MintSessionTokenResponse type: object SuccessMeta: properties: pagination: $ref: '#/components/schemas/Pagination' request_id: format: uuid type: string timings_ms: additionalProperties: type: number type: object warnings: description: >- Non-fatal warnings about the created/updated resource (e.g. an unhealthy PSA callback). items: type: string type: array required: - request_id - timings_ms type: object ErrorEnvelope: properties: error: properties: code: description: Stable machine-readable error code. type: string details: additionalProperties: true type: object message: type: string required: - code - message type: object meta: properties: request_id: format: uuid type: - string - 'null' type: object required: - error - meta type: object Pagination: properties: has_more: type: boolean next_cursor: type: - string - 'null' required: - next_cursor - has_more type: object securitySchemes: bearerAuth: description: >- `Authorization: Bearer ` where `` is either a `neo_sk__` API key (service account) or a Microsoft Entra ID access token (dashboard user). scheme: bearer type: http ````