Account

Two endpoints handle data-subject rights for your organization:

• GET /v1/auth/export — download every row Chronary holds for your org as JSON (GDPR Art. 15 right of access + Art. 20 right to portability, CCPA right-to-know, EU Data Act interoperability).
• DELETE /v1/auth/account — hard-delete your organization (GDPR Art. 17 right to erasure).

Both endpoints are JWT-authenticated (console session cookie or Bearer token) — they’re not callable with API keys (chr_sk_* / chr_ak_*). The export endpoint returns decrypted webhook secrets and iCal subscription URLs that aren’t normally exposed via API-key endpoints, hence the stricter auth gate.

In day-to-day use, you’ll trigger both from the console at console.chronary.ai/settings. The HTTP endpoints exist for programmatic compliance tooling (e.g. a server holding a delegated JWT).

Export account data

GET /v1/auth/export

Returns a single JSON file with every row tied to your org. Rate-limited to 10 exports per hour per org.

Response headers

| Header | Value | |--------|-------| | Content-Type | application/json | | Content-Disposition | attachment; filename="chronary-export-YYYY-MM-DD.json" | | Cache-Control | no-store |

Response body shape

{
  "exported_at": "2026-04-26T12:00:00.000Z",
  "format_version": "1",
  "org": { /* id, name, email, plan, oauth, ToS state, timestamps */ },
  "agents": [...],
  "calendars": [...],          // includes ical_token + ical_feed_url
  "events": [...],             // titles + descriptions decrypted
  "availability_rules": [...],
  "ical_subscriptions": [...], // url decrypted
  "webhook_subscriptions": [...], // secret + url decrypted
  "api_keys": [...],           // org + agent-scoped, prefix only — no key, no hash
  "scheduling_proposals": [...],
  "proposal_slots": [...],
  "proposal_responses": [...],
  "usage_records": [...],
  "quota_counters": [...],
  "tos_acceptances": [...],    // immutable legal artifact
  "account_claims_initiated": [...] // claims this org started; tokens masked
}

What’s included vs. omitted

Included (your data):

• Org metadata (id, name, email, plan, OAuth identity, ToS acceptance state)
• Every agent, calendar, event, availability rule, scheduling proposal, slot, response, iCal subscription, webhook subscription
• API key prefixes + labels + creation/revocation timestamps (so you can identify keys in your records)
• Decrypted plaintext for event titles + descriptions, webhook secrets, and iCal subscription URLs
• ToS acceptance audit rows (version + SHA-256 + timestamp)
• Usage and quota counters
• Account-claim records this org initiated (without operational secrets)

Omitted (not your data, or unrecoverable):

• Password hashes, OTP hashes, claim revocation tokens (operational secrets)
• API key hashes (irrecoverable — the original key is shown only at creation)
• Internal scheduling state (started_scheduled_for, hold_expiry_scheduled_for, etc. — implementation detail)
• Incident records (Chronary’s infra audit log, not user data)
• Account-claim records targeting this org (would expose third-party identity)

iCal portability

Each calendar in the export includes its ical_token and a public ical_feed_url. Point any RFC 5545 client (Google Calendar, Apple Calendar, Outlook) at the URL to subscribe — no auth needed. This satisfies the EU Data Act’s “structured, machine-readable” portability requirement for calendar data alongside the JSON dump.

Examples

curl

# JWT must be a console session token, not an API key.
curl -O -J https://api.chronary.ai/v1/auth/export \
  -H "Authorization: Bearer ${CHRONARY_CONSOLE_JWT}"

TypeScript

import { Chronary } from '@chronary/sdk';

// apiKey here is a console JWT, not a chr_sk_* key.
const client = new Chronary({ apiKey: process.env.CHRONARY_CONSOLE_JWT });

const data = await client.account.export();
console.log(`Exported ${data.events.length} events from ${data.org.name}`);

Python

from chronary import Chronary

# api_key here is a console JWT, not a chr_sk_* key.
client = Chronary(api_key=os.environ["CHRONARY_CONSOLE_JWT"])

data = client.account.export()
print(f"Exported {len(data['events'])} events from {data['org']['name']}")

Go

// apiKey here is a console JWT, not a chr_sk_* key.
client, _ := chronary.NewClient(chronary.WithAPIKey(os.Getenv("CHRONARY_CONSOLE_JWT")))
data, err := client.Account.Export(ctx)
if err != nil {
    log.Fatal(err)
}
fmt.Printf("Exported %d events from %s\n", len(data.Events), data.Org.Name)

Error responses

| Status | Type | When | |--------|------|------| | 401 | authentication_error | Missing or invalid JWT (API keys also return 401 here) | | 429 | rate_limited | More than 10 exports in the past hour for this org |

Delete account

DELETE /v1/auth/account

Hard-deletes your organization. All cascade-linked rows (agents, API keys, calendars, events, iCal subscriptions, webhook subscriptions, scheduling proposals, availability rules, usage records, quota counters) are removed. ToS acceptance audit rows are retained with a NULL org reference per Washington RCW 4.16.040 (6-year contract statute of limitations / GDPR Art. 17(3)(e) legal-obligation exception).

The session cookie is cleared and the response is 204 No Content.

There is no recovery path. Export your data first if you might need it.