# POST /evie-grant

**Resource:** [Evie (In-App Agent)](./evie.md)  
**Scopes:** _none_  
**Write operation:** yes

Mint an Evie OAuth token for the authenticated user. The caller must supply a Supabase JWT (portal session token) as the Bearer credential. The endpoint verifies workspace membership and returns a tp_oauth_* token scoped to the intersection of the client max-scopes and the user role scopes. Idempotent: re-calling revokes any prior Evie token for the same (user, company) pair and issues a fresh one. Store the returned access_token in sessionStorage; include it as Bearer on all /agent-chat calls.

## Parameters

| Name | In | Type | Required | Description |
|------|----|------|----------|-------------|
| `company_id` | body | uuid | yes | Target workspace company ID. Must be a workspace the authenticated user belongs to. |

## Request example

```bash
POST /functions/v1/evie-grant
Authorization: Bearer <supabase-jwt>
Content-Type: application/json

{
  "company_id": "ebeff86e-7b09-4e49-96db-f711d69d2d57"
}
```

## Response example

```json
{
  "access_token": "tp_oauth_a1b2c3d4e5f6...",
  "token_type": "Bearer",
  "scope": "contacts:read opportunities:read tasks:write ...",
  "scope_count": 47
}
```

## Notes

- This endpoint requires verify_jwt=true - the caller must supply a valid Supabase JWT, not a tp_live_* API key.
- The returned tp_oauth_* token is scoped via intersection: (evie_in_app client max-scopes) AND (user role scopes). Admins get a broader set than viewers.
- Destructive actions (delete, certain writes) may require approval-tier scopes and route through the approval queue at /settings/api?tab=approvals.
- The evie_in_app OAuth client is bootstrapped automatically on first grant call - no pre-configuration required.

---
Base URL: `https://api.trustpager.com/functions/v1/api/v1` — Auth: `Authorization: Bearer YOUR_API_KEY`