Streaming chat with the FOIA Expert Agent (SSE)

Send a message and receive Server-Sent Events as the agent processes. Identical functionality to /api/agent/chat but streams text incrementally for real-time UI rendering.

SSE Event Types:

text_delta — Streaming text chunk: {"type":"text_delta","text":"..."}
tool_call — Tool invocation: {"type":"tool_call","tool":"analyze_jurisdiction"}
tools_used — Summary after completion: {"type":"tools_used","tools":[...]}
usage — Token counts: {"type":"usage","input_tokens":1234,"output_tokens":567}
error — Error event: {"type":"error","message":"..."}
[DONE] — Stream terminator

Connection: Returns text/event-stream with Cache-Control: no-cache.

Example stream:

data: {"type":"tool_call","tool":"semantic_search"}
data: {"type":"tool_call","tool":"analyze_jurisdiction"}
data: {"type":"text_delta","text":"In Texas, body cam footage is governed by"}
data: {"type":"text_delta","text":" § 552.108 of the Public Information Act."}
data: {"type":"tools_used","tools":["semantic_search","analyze_jurisdiction"]}
data: {"type":"usage","input_tokens":4521,"output_tokens":892}
data: [DONE]

Send a message and receive Server-Sent Events as the agent processes. Identical functionality to `/api/agent/chat` but streams text incrementally for real-time UI rendering. **SSE Event Types**: - `text_delta` — Streaming text chunk: `{"type":"text_delta","text":"..."}` - `tool_call` — Tool invocation: `{"type":"tool_call","tool":"analyze_jurisdiction"}` - `tools_used` — Summary after completion: `{"type":"tools_used","tools":[...]}` - `usage` — Token counts: `{"type":"usage","input_tokens":1234,"output_tokens":567}` - `error` — Error event: `{"type":"error","message":"..."}` - `[DONE]` — Stream terminator **Connection**: Returns `text/event-stream` with `Cache-Control: no-cache`. **Example stream**: ``` data: {"type":"tool_call","tool":"semantic_search"} data: {"type":"tool_call","tool":"analyze_jurisdiction"} data: {"type":"text_delta","text":"In Texas, body cam footage is governed by"} data: {"type":"text_delta","text":" § 552.108 of the Public Information Act."} data: {"type":"tools_used","tools":["semantic_search","analyze_jurisdiction"]} data: {"type":"usage","input_tokens":4521,"output_tokens":892} data: [DONE] ```

Authentication

AuthorizationBearer

Auth0 JWT Bearer Token Authentication

All protected endpoints require a valid JWT token issued by Auth0.

Auth0 Configuration

Tenant: dev-4fszoklachwdh46m.us.auth0.com
Issuer: https://dev-4fszoklachwdh46m.us.auth0.com/
Audience: https://api.theholefoundation.org
Algorithm: RS256 (RSA Signature with SHA-256)
JWKS URI: https://dev-4fszoklachwdh46m.us.auth0.com/.well-known/jwks.json

Getting a Token

For End Users (Web Application):

Login: https://theholetruth.org/api/auth
Uses Auth0 Universal Login
Returns JWT in response after successful authentication

For M2M (Service-to-Service):

$ curl --request POST \
>   --url https://dev-4fszoklachwdh46m.us.auth0.com/oauth/token \
>   --header 'content-type: application/json' \
>   --data '{
>     "client_id": "YOUR_M2M_CLIENT_ID",
>     "client_secret": "YOUR_M2M_CLIENT_SECRET",
>     "audience": "https://api.theholefoundation.org",
>     "grant_type": "client_credentials"
>   }'

Using the Token

Include the JWT in the Authorization header of all API requests:

Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...

Implementation Guide (Backend)

Step 1: Fetch JWKS from Auth0

1 const jwksClient = require('jwks-rsa');
2 const client = jwksClient({
3   jwksUri: 'https://dev-4fszoklachwdh46m.us.auth0.com/.well-known/jwks.json'
4 });

Step 2: Validate JWT

1 const jwt = require('jsonwebtoken');
2 
3 function validateAuth0Token(token) {
4   return jwt.verify(token, getKey, {
5     audience: 'https://api.theholefoundation.org',
6     issuer: 'https://dev-4fszoklachwdh46m.us.auth0.com/',
7     algorithms: ['RS256']
8   });
9 }

Step 3: Extract User ID

1 const decoded = validateAuth0Token(token);
2 const userId = decoded.sub;  // e.g., "auth0|507f1f77bcf86cd799439011"

Step 4: Check Permissions

1 const scopes = decoded.scope.split(' ');
2 if (!scopes.includes('read:transparency')) {
3   throw new Error('Insufficient permissions');
4 }

Token Claims

Every Auth0 JWT contains these claims:

1 {
2   "sub": "auth0|507f1f77bcf86cd799439011",  // User ID (use this as primary key)
3   "email": "user@example.com",
4   "email_verified": true,
5   "name": "John Doe",
6   "iss": "https://dev-4fszoklachwdh46m.us.auth0.com/",
7   "aud": "https://api.theholefoundation.org",
8   "iat": 1516239022,                        // Issued at (Unix timestamp)
9   "exp": 1516242622,                        // Expires at (Unix timestamp)
10   "azp": "YOUR_CLIENT_ID",                  // Authorized party
11   "scope": "read:transparency write:foia"   // Permissions
12 }

Required Scopes by Endpoint Category

Vector Search: read:transparency
Transparency: read:transparency
FOIA Dashboard: read:foia, write:foia
Chat: chat:assistant
LaTeX Compilation: compile:documents
Neon Database: read:database (admin: admin:database)
Integration Workflows: execute:workflows
S3 Storage: read:storage, write:storage
Vector Store: read:vectors, write:vectors (admin: admin:vectors)
Project API: read:projects, write:projects

Error Responses

401 Unauthorized - Missing or invalid token:

1 {
2   "error": {
3     "code": "AUTH_MISSING_TOKEN",
4     "message": "Authentication token is required",
5     "status": 401
6   }
7 }

401 Unauthorized - Expired token:

1 {
2   "error": {
3     "code": "AUTH_TOKEN_EXPIRED",
4     "message": "Token has expired",
5     "status": 401
6   }
7 }

403 Forbidden - Insufficient permissions:

1 {
2   "error": {
3     "code": "AUTH_INSUFFICIENT_SCOPE",
4     "message": "Token does not have required scope",
5     "status": 403,
6     "metadata": {
7       "required_scope": "write:foia",
8       "provided_scopes": ["read:foia"]
9     }
10   }
11 }

Security Best Practices

Always validate the JWT signature using Auth0’s JWKS
Verify the iss claim matches Auth0 tenant
Verify the aud claim matches your API identifier
Check the exp claim to reject expired tokens
Extract user ID from sub claim for resource scoping
Validate scopes before granting access to protected resources
Use HTTPS only for all API communication
Never log or expose JWT tokens in plaintext
Implement rate limiting per sub claim to prevent abuse
Audit all access with Auth0 user ID for compliance

Neon + BetterAuth Integration

BetterAuth (Neon’s authentication layer) uses Auth0 as the JWT provider:

Auth0 issues all JWT tokens
BetterAuth validates tokens against Auth0’s JWKS
User sessions stored in Neon PostgreSQL
Row-Level Security (RLS) uses auth.user_id() function
RLS policies extract user ID from Auth0 sub claim

Example RLS Policy:

1 CREATE POLICY foia_requests_user_isolation ON foia_requests
2   USING (user_id = auth.user_id());

SDK Integration

All generated SDKs include Auth0 authentication helpers:

TypeScript SDK:

1 import { HoleFoundationClient } from '@hole-foundation/api';
2 
3 const client = new HoleFoundationClient({
4   token: 'YOUR_AUTH0_JWT_TOKEN'
5 });

Python SDK:

1 from theholetruth import HoleFoundationClient
2 
3 client = HoleFoundationClient(
4   token="YOUR_AUTH0_JWT_TOKEN"
5 )

Need Help?

Auth0 Documentation: Contact api@theholefoundation.org
M2M Credentials: Contact api@theholefoundation.org
Permission Issues: Check your Auth0 user roles and scopes
Token Expiration: Implement token refresh flow in your application

**Auth0 JWT Bearer Token Authentication** All protected endpoints require a valid JWT token issued by Auth0. ## Auth0 Configuration - **Tenant**: `dev-4fszoklachwdh46m.us.auth0.com` - **Issuer**: `https://dev-4fszoklachwdh46m.us.auth0.com/` - **Audience**: `https://api.theholefoundation.org` - **Algorithm**: RS256 (RSA Signature with SHA-256) - **JWKS URI**: `https://dev-4fszoklachwdh46m.us.auth0.com/.well-known/jwks.json` ## Getting a Token **For End Users (Web Application)**: - Login: https://theholetruth.org/api/auth - Uses Auth0 Universal Login - Returns JWT in response after successful authentication **For M2M (Service-to-Service)**: ```bash curl --request POST \ --url https://dev-4fszoklachwdh46m.us.auth0.com/oauth/token \ --header 'content-type: application/json' \ --data '{ "client_id": "YOUR_M2M_CLIENT_ID", "client_secret": "YOUR_M2M_CLIENT_SECRET", "audience": "https://api.theholefoundation.org", "grant_type": "client_credentials" }' ``` ## Using the Token Include the JWT in the `Authorization` header of all API requests: ``` Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... ``` ## Implementation Guide (Backend) **Step 1: Fetch JWKS from Auth0** ```javascript const jwksClient = require('jwks-rsa'); const client = jwksClient({ jwksUri: 'https://dev-4fszoklachwdh46m.us.auth0.com/.well-known/jwks.json' }); ``` **Step 2: Validate JWT** ```javascript const jwt = require('jsonwebtoken'); function validateAuth0Token(token) { return jwt.verify(token, getKey, { audience: 'https://api.theholefoundation.org', issuer: 'https://dev-4fszoklachwdh46m.us.auth0.com/', algorithms: ['RS256'] }); } ``` **Step 3: Extract User ID** ```javascript const decoded = validateAuth0Token(token); const userId = decoded.sub; // e.g., "auth0|507f1f77bcf86cd799439011" ``` **Step 4: Check Permissions** ```javascript const scopes = decoded.scope.split(' '); if (!scopes.includes('read:transparency')) { throw new Error('Insufficient permissions'); } ``` ## Token Claims Every Auth0 JWT contains these claims: ```json { "sub": "auth0|507f1f77bcf86cd799439011", // User ID (use this as primary key) "email": "user@example.com", "email_verified": true, "name": "John Doe", "iss": "https://dev-4fszoklachwdh46m.us.auth0.com/", "aud": "https://api.theholefoundation.org", "iat": 1516239022, // Issued at (Unix timestamp) "exp": 1516242622, // Expires at (Unix timestamp) "azp": "YOUR_CLIENT_ID", // Authorized party "scope": "read:transparency write:foia" // Permissions } ``` ## Required Scopes by Endpoint Category - **Vector Search**: `read:transparency` - **Transparency**: `read:transparency` - **FOIA Dashboard**: `read:foia`, `write:foia` - **Chat**: `chat:assistant` - **LaTeX Compilation**: `compile:documents` - **Neon Database**: `read:database` (admin: `admin:database`) - **Integration Workflows**: `execute:workflows` - **S3 Storage**: `read:storage`, `write:storage` - **Vector Store**: `read:vectors`, `write:vectors` (admin: `admin:vectors`) - **Project API**: `read:projects`, `write:projects` ## Error Responses **401 Unauthorized** - Missing or invalid token: ```json { "error": { "code": "AUTH_MISSING_TOKEN", "message": "Authentication token is required", "status": 401 } } ``` **401 Unauthorized** - Expired token: ```json { "error": { "code": "AUTH_TOKEN_EXPIRED", "message": "Token has expired", "status": 401 } } ``` **403 Forbidden** - Insufficient permissions: ```json { "error": { "code": "AUTH_INSUFFICIENT_SCOPE", "message": "Token does not have required scope", "status": 403, "metadata": { "required_scope": "write:foia", "provided_scopes": ["read:foia"] } } } ``` ## Security Best Practices 1. **Always validate the JWT signature** using Auth0's JWKS 2. **Verify the `iss` claim** matches Auth0 tenant 3. **Verify the `aud` claim** matches your API identifier 4. **Check the `exp` claim** to reject expired tokens 5. **Extract user ID from `sub` claim** for resource scoping 6. **Validate scopes** before granting access to protected resources 7. **Use HTTPS only** for all API communication 8. **Never log or expose** JWT tokens in plaintext 9. **Implement rate limiting** per `sub` claim to prevent abuse 10. **Audit all access** with Auth0 user ID for compliance ## Neon + BetterAuth Integration BetterAuth (Neon's authentication layer) uses Auth0 as the JWT provider: - Auth0 issues all JWT tokens - BetterAuth validates tokens against Auth0's JWKS - User sessions stored in Neon PostgreSQL - Row-Level Security (RLS) uses `auth.user_id()` function - RLS policies extract user ID from Auth0 `sub` claim **Example RLS Policy**: ```sql CREATE POLICY foia_requests_user_isolation ON foia_requests USING (user_id = auth.user_id()); ``` ## SDK Integration All generated SDKs include Auth0 authentication helpers: **TypeScript SDK**: ```typescript import { HoleFoundationClient } from '@hole-foundation/api'; const client = new HoleFoundationClient({ token: 'YOUR_AUTH0_JWT_TOKEN' }); ``` **Python SDK**: ```python from theholetruth import HoleFoundationClient client = HoleFoundationClient( token="YOUR_AUTH0_JWT_TOKEN" ) ``` ## Need Help? - **Auth0 Documentation**: Contact api@theholefoundation.org - **M2M Credentials**: Contact api@theholefoundation.org - **Permission Issues**: Check your Auth0 user roles and scopes - **Token Expiration**: Implement token refresh flow in your application

Request

This endpoint expects an object.

messagestringRequired1-10000 characters

The user's message to the FOIA Expert Agent

sessionIdstringOptionalformat: "uuid"

Session ID for conversation continuity. Auto-generated if omitted.

historylist of objectsOptional

Previous conversation history for multi-turn sessions

Response

SSE event stream

Errors