REST API/Authentication
Authentication
User registration, authentication, token management, and multi-factor authentication.
11 endpoints
Endpoints
Endpoint Details
POST /auth/register
/auth/registerPublicCreate a new account and return JWT tokens (auto-login). Password must be 12+ characters with uppercase, lowercase, digit, and special character. Argon2id hashing.
Request Example
{
"email": "jane@example.com",
"password": "S3cure!Pass#2026",
"role": "member"
}Response
{
"access_token": "eyJhbGciOiJFUzI1NiIs...",
"token_type": "bearer",
"expires_in": 3600,
"user": {
"id": "c1d2e3f4-a5b6-7890-cdef-123456789abc",
"email": "jane@example.com",
"role": "member",
"created_at": "2026-03-10T08:00:00Z"
}
}POST /auth/login
/auth/loginPublicAuthenticate with email and password. Returns access token in body (1-hour expiry) and sets refresh token as HttpOnly cookie (7-day expiry). If MFA is enabled, returns mfa_required=true instead of tokens.
Request Example
{
"email": "jane@example.com",
"password": "S3cure!Pass#2026"
}Response
{
"access_token": "eyJhbGciOiJFUzI1NiIs...",
"token_type": "bearer",
"expires_in": 3600,
"user": {
"id": "c1d2e3f4-a5b6-7890-cdef-123456789abc",
"email": "jane@example.com",
"role": "member",
"linked_entity_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"last_login": "2026-03-10T08:30:00Z"
}
}POST /auth/refresh
/auth/refreshPublicRefresh the access token using the HttpOnly refresh cookie. Rotates the refresh token (old one is revoked).
Response
{
"access_token": "eyJhbGciOiJFUzI1NiIs...",
"token_type": "bearer",
"expires_in": 3600
}POST /auth/logout
/auth/logoutPublicRevoke the refresh token and clear the cookie.
GET /auth/me
/auth/meJWTReturn the authenticated user profile.
Response
{
"id": "c1d2e3f4-a5b6-7890-cdef-123456789abc",
"email": "jane@example.com",
"role": "member",
"linked_entity_id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"created_at": "2026-03-10T08:00:00Z",
"last_login": "2026-03-10T08:30:00Z"
}POST /auth/forgot-password
/auth/forgot-passwordPublicRequest a password reset email. Always returns success to prevent user enumeration.
Request Example
{
"email": "jane@example.com"
}POST /auth/reset-password
/auth/reset-passwordPublicReset password using a valid reset token. Revokes all existing refresh tokens.
Request Example
{
"token": "abc123def456...",
"new_password": "N3wS3cure!Pass#2026"
}POST /auth/mfa/setup
/auth/mfa/setupJWTGenerate a new TOTP secret and provisioning URI for authenticator app setup.
POST /auth/mfa/verify
/auth/mfa/verifyJWTVerify a TOTP code and enable MFA. Returns one-time recovery codes.
Request Example
{
"code": "123456"
}POST /auth/mfa/disable
/auth/mfa/disableJWTDisable MFA for the account. Requires a valid TOTP code.
Request Example
{
"code": "123456"
}POST /auth/mfa/authenticate
/auth/mfa/authenticatePublicComplete MFA login by providing TOTP code or recovery code. Called after /login returns mfa_required=true.
Request Example
{
"email": "jane@example.com",
"code": "123456",
"recovery": false
}