Skip to main content
The auth endpoints cover the full account lifecycle: registration, email confirmation, login, password reset, and sensitive-action verification. Most of these endpoints are public — they do not require a Bearer token.

Create account

POST /auth/create-account
No authentication required.
Registers a new user account. After registration, the user receives a confirmation email with a 6-digit token. The account is not active until confirmed.

Request body

name
string
required
Full display name of the user.
email
string
required
Email address. Must be unique across all accounts.
password
string
required
Account password.
password_confirmation
string
required
Must match the password field exactly.

Example request

curl -X POST https://api.yourdomain.com/auth/create-account \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Ada Lovelace",
    "email": "[email protected]",
    "password": "s3cur3pass",
    "password_confirmation": "s3cur3pass"
  }'

Example response

{
  "message": "Account created. Check your email to confirm your account."
}

Login

POST /auth/login
No authentication required.
Authenticates a user with email and password. Returns a JWT token string on success. Store this token as AUTH_TOKEN in localStorage and include it in the Authorization header for all subsequent authenticated requests.

Request body

email
string
required
The registered email address.
password
string
required
The account password.

Example request

curl -X POST https://api.yourdomain.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]",
    "password": "s3cur3pass"
  }'

Example response

The response body is a plain JWT string: 
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI2NDdmMWEyYjNjNGQ1ZTZmNzg5MDEyMzQiLCJpYXQiOjE3MTE5ODQwMDB9.abc123"

Confirm account

POST /auth/confirm-account
No authentication required.
Activates a newly registered account using the 6-digit confirmation token sent to the user’s email address.

Request body

token
string
required
The 6-digit confirmation token from the verification email.

Example request

curl -X POST https://api.yourdomain.com/auth/confirm-account \
  -H "Content-Type: application/json" \
  -d '{
    "token": "482910"
  }'

Example response

{
  "message": "Account confirmed successfully."
}

Request new confirmation code

POST /auth/request-code
No authentication required.
Issues a new 6-digit confirmation token and sends it to the specified email address. Use this if the original confirmation email expired or was not received.

Request body

email
string
required
The email address associated with the unconfirmed account.

Example request

curl -X POST https://api.yourdomain.com/auth/request-code \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]"
  }'

Example response

{
  "message": "A new confirmation code has been sent to your email."
}

Forgot password

POST /auth/forgot-password
No authentication required.
Sends a password reset email containing a token to the specified address. Use POST /auth/validate-token to check the token before prompting the user to enter a new password.

Request body

email
string
required
The email address associated with the account.

Example request

curl -X POST https://api.yourdomain.com/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{
    "email": "[email protected]"
  }'

Example response

{
  "message": "Password reset instructions have been sent to your email."
}

Validate password reset token

POST /auth/validate-token
No authentication required.
Validates a password reset token before allowing the user to set a new password. Call this endpoint when the user lands on the reset-password page to confirm the token is still valid before rendering the form.

Request body

token
string
required
The password reset token from the reset email.

Example request

curl -X POST https://api.yourdomain.com/auth/validate-token \
  -H "Content-Type: application/json" \
  -d '{
    "token": "482910"
  }'

Example response

{
  "message": "Token is valid."
}

Update password

POST /auth/update-password/:token
No authentication required. The reset token is passed as a URL path parameter.
Sets a new password for the account associated with the provided reset token. Call this after successfully validating the token with POST /auth/validate-token.

Path parameters

token
string
required
The password reset token from the reset email. This is the same token validated by POST /auth/validate-token.

Request body

password
string
required
The new password to set.
password_confirmation
string
required
Must match the password field exactly.

Example request

curl -X POST https://api.yourdomain.com/auth/update-password/482910 \
  -H "Content-Type: application/json" \
  -d '{
    "password": "newS3cur3pass",
    "password_confirmation": "newS3cur3pass"
  }'

Example response

{
  "message": "Password updated successfully."
}

Get current user

GET /auth/user
Authentication required. Include your Bearer token in the Authorization header.
Returns the profile of the currently authenticated user. Use this endpoint to fetch user details after login, or to verify that a stored token is still valid.

Example request

curl -X GET https://api.yourdomain.com/auth/user \
  -H "Authorization: Bearer <your-token>"

Example response

{
  "_id": "647f1a2b3c4d5e6f78901234",
  "name": "Ada Lovelace",
  "email": "[email protected]"
}

Response fields

_id
string
required
Unique identifier for the user.
name
string
required
Full display name of the user.
email
string
required
Email address associated with the account.

Check password

POST /auth/check-password
Authentication required. Include your Bearer token in the Authorization header.
Verifies that the provided password matches the currently authenticated user’s account password. Use this before allowing sensitive actions — such as deleting a project or changing account settings — to confirm the user’s identity without requiring a full re-login.

Request body

password
string
required
The current account password to verify.

Example request

curl -X POST https://api.yourdomain.com/auth/check-password \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "s3cur3pass"
  }'

Example response

{
  "message": "Password is correct."
}

Update profile

PUT /auth/profile
Authentication required. Include your Bearer token in the Authorization header.
Updates the authenticated user’s display name and email address.

Request body

name
string
required
Updated display name.
email
string
required
Updated email address. Must be unique across all accounts.

Example request

curl -X PUT https://api.yourdomain.com/auth/profile \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Ada Byron",
    "email": "[email protected]"
  }'

Example response

{
  "message": "Profile updated successfully."
}

Change password (authenticated)

POST /auth/update-password
Authentication required. Include your Bearer token in the Authorization header.
Changes the password for the currently authenticated user. Requires the current password for verification. This is different from the unauthenticated password reset flow — use this endpoint when the user is already logged in and wants to update their password from the profile page.

Request body

current_password
string
required
The user’s current account password. Used to verify identity before the change is accepted.
password
string
required
The new password. Minimum 8 characters.
password_confirmation
string
required
Must match the password field exactly.

Example request

curl -X POST https://api.yourdomain.com/auth/update-password \
  -H "Authorization: Bearer <your-token>" \
  -H "Content-Type: application/json" \
  -d '{
    "current_password": "s3cur3pass",
    "password": "newStr0ngPass!",
    "password_confirmation": "newStr0ngPass!"
  }'

Example response

{
  "message": "Password updated successfully."
}

Build docs developers (and LLMs) love

Get started for freeTalk to us