Request an OTP
Sends a one-time password to the specified email address.Request body
The email address to send the OTP to.
Response
true when the OTP was dispatched successfully.Value:
"OTP send successfully".Error cases
| Status | Message | Cause |
|---|---|---|
400 | Validation error message | Missing or invalid email |
403 | Service error message | Failed to generate or dispatch OTP |
429 | "Too many requests." | Rate limit of 2 per hour exceeded |
Example
Verify an OTP
Verifies a one-time password for the given email address.Request body
The email address the OTP was sent to.
The one-time password received by the user.
Response
true when the OTP is valid.Value:
"OTP verified successfully".Additional verification result data returned by the OTP service.
Error cases
| Status | Message | Cause |
|---|---|---|
400 | "OTP verification failed" | OTP is invalid or has expired |
429 | "Too many requests." | Rate limit of 5 attempts per 15 minutes exceeded |
Example
Logout
Revokes the current session’s refresh token and clears therefreshToken cookie.
refreshToken cookie)
If no cookie is present, the endpoint still returns a success response — the logout is treated as a no-op.
Response
Always
true.Value:
"Logged out successfully".Example
Logout all devices
Revokes all active sessions for the authenticated user across all devices.Authorization: Bearer <access_token>)
Response
true when all sessions were revoked.Value:
"Logged out from all devices".Error cases
| Status | Message | Cause |
|---|---|---|
401 | "Unauthorized" | Missing or invalid access token |
500 | "Logout failed" | Unexpected server error |
Example
List active devices
Returns all active device sessions for the authenticated user. The current session is identified within the list.Authorization: Bearer <access_token>)
Response
true on success.Value:
"Devices fetched successfully".Array of active device sessions. Each session object includes the token ID, device metadata, and creation timestamp.
Error cases
| Status | Message | Cause |
|---|---|---|
401 | "Unauthorized" | Missing or invalid access token |
500 | "Failed to fetch devices" | Unexpected server error |
Example
Logout a specific device
Revokes a specific device session by its token ID. Obtain the token ID fromGET /api/auth/devices.
Authorization: Bearer <access_token>)
Path parameter
The UUID token ID of the session to revoke. Retrieve it from
GET /api/auth/devices.Response
true when the session was revoked.Value:
"Device logged out successfully".Error cases
| Status | Message | Cause |
|---|---|---|
401 | "Unauthorized" | Missing or invalid access token |
500 | "Failed to logout device" | Token ID not found or server error |
Example
Request password reset email
Sends a password reset link to the specified email address. For security, the response is always a success — no information is revealed about whether the email exists in the system.Request body
The email address associated with the account to reset.
Response
true when the request was processed.Value:
"Password reset email sent successfully".Error cases
| Status | Message | Cause |
|---|---|---|
400 | Validation error message | Missing or invalid email |
500 | "Failed to send password reset email" | Email dispatch error |
Example
Reset password
Resets the user’s password using the token from the password reset email.Request body
The email address of the account being reset.
The password reset token received in the reset email.
The new password to set for the account.
Response
true when the password was reset successfully.Value:
"Password has been reset successfully".Error cases
| Status | Message | Cause |
|---|---|---|
400 | Validation error message | Missing or invalid request fields |
500 | "Failed to reset password" | Token is invalid, expired, or server error |