Skip to main content
All endpoints are prefixed with /api/auth. Requests and responses use Content-Type: application/json. Endpoints that require authentication expect an Authorization: Bearer <accessToken> header.

POST /api/auth/signup

Register a new user account. A verification OTP is automatically sent to the provided email address.
Only @calpoly.edu email addresses are accepted.

Request body

email
string
required
A valid @calpoly.edu email address.
password
string
required
Account password. Must be 8–30 characters.
username
string
required
Display name shown on the user’s profile. Must be 2–30 characters.

Response — 201 Created

success
boolean
true on success.
message
string
Human-readable confirmation, e.g. "Account created. Please check your email for the verification code."
data
object

Error responses

StatusCondition
400Missing or invalid fields, non-@calpoly.edu email, password/username length out of range
409Email is already registered

Example

curl -X POST http://localhost:3000/api/auth/signup \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "SecurePass123",
    "username": "musty_mustang"
  }'

POST /api/auth/login

Sign in with email and password. Returns Supabase session tokens and the user’s profile data.

Request body

email
string
required
Registered email address.
password
string
required
Account password.

Response — 200 OK

success
boolean
true on success.
data
object

Error responses

StatusCondition
400Missing email or password field
401Invalid email or password

Example

curl -X POST http://localhost:3000/api/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "SecurePass123"
  }'

POST /api/auth/verify

Verify the OTP code that was emailed after signup. Returns session tokens on success, making the account active.

Request body

email
string
required
Email address that received the OTP.
token
string
required
The OTP code from the verification email. Must be 4–8 characters.

Response — 200 OK

success
boolean
true on success.
message
string
"Email verified successfully."
data
object

Error responses

StatusCondition
400Invalid or expired OTP code
404User record not found after verification

Example

curl -X POST http://localhost:3000/api/auth/verify \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "token": "123456"
  }'

POST /api/auth/resend

Resend the signup verification OTP to the provided email address.

Request body

email
string
required
Email address to resend the verification code to.

Response — 200 OK

success
boolean
true on success.
message
string
"A new code has been sent to your email."

Error responses

StatusCondition
400Missing email or Supabase could not send the code

Example

curl -X POST http://localhost:3000/api/auth/resend \
  -H "Content-Type: application/json" \
  -d '{"email": "[email protected]"}'

POST /api/auth/change-password

Change the password for the currently authenticated user. The current password is verified before applying the update.
Auth required: Yes — include Authorization: Bearer <accessToken>.

Request body

oldPassword
string
required
The user’s current password.
newPassword
string
required
The desired new password. Must be 8–30 characters.

Response — 200 OK

success
boolean
true on success.
message
string
"Password updated successfully."

Error responses

StatusCondition
400oldPassword is incorrect, or newPassword length is out of range
401Missing or invalid Bearer token

Example

curl -X POST http://localhost:3000/api/auth/change-password \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <accessToken>" \
  -d '{
    "oldPassword": "SecurePass123",
    "newPassword": "EvenBetter456"
  }'

Build docs developers (and LLMs) love

Get started for freeTalk to us