Zerobyte uses better-auth for session-based authentication with support for email/password, SSO, two-factor authentication, and organization management.
Authentication Flow Email/Password Authentication
Check if any users exist using Get Status
Sign in with email and password via better-auth endpoint
Complete 2FA verification if enabled
Session cookie is automatically set
SSO Authentication
List available SSO providers
Initiate SSO flow via better-auth
Complete provider authentication
Session cookie is automatically set
Better-Auth Endpoints Zerobyte uses better-auth for core authentication operations. These endpoints are available at /api/auth/*:
Sign In POST /api/auth/sign-in/email Content-Type: application/json { "email" : "[email protected] ", "password" : "your-password" }
Sign Up POST /api/auth/sign-up/email Content-Type: application/json { "email" : "[email protected] ", "password" : "your-password", "username" : "johndoe" }
Note: Registration may be disabled by administrators. Check registration status first.Sign Out Two-Factor Authentication Enable 2FA: POST /api/auth/two-factor/enable
Verify 2FA: POST /api/auth/two-factor/verify Content-Type: application/json { "code" : "123456" }
Disable 2FA: POST /api/auth/two-factor/disable Content-Type: application/json { "password" : "your-password" }
Zerobyte Auth Endpoints Get Status curl -X GET http://localhost:4096/api/v1/auth/status
Check if any users exist in the system (used to determine if initial setup is needed).
Response: Whether any users exist in the system
Get SSO Providers curl -X GET http://localhost:4096/api/v1/auth/sso-providers
List all public SSO providers configured for the instance.
Response: Array of SSO provider configurations Unique identifier for the SSO provider
Organization slug for the provider
Get SSO Settings curl -X GET http://localhost:4096/api/v1/auth/sso-settings \ -H "Cookie: zerobyte.session=..."
Get SSO providers and invitations for the active organization. Requires organization admin role.
Response: SSO providers configured for the organization Provider unique identifier
SSO provider type (e.g., “oidc”, “saml”)
Identity provider issuer URL
Email domain for auto-linking
Whether to auto-link accounts with matching emails
Organization ID this provider belongs to
Pending SSO invitations Assigned role (“member” or “admin”)
ISO 8601 expiration timestamp
Delete SSO Provider curl -X DELETE http://localhost:4096/api/v1/auth/sso-providers/{providerId} \ -H "Cookie: zerobyte.session=..."
Delete an SSO provider. Requires organization admin role.
Parameters: SSO provider ID to delete
Response: Whether the deletion was successful
Update SSO Provider Auto-Linking curl -X PATCH http://localhost:4096/api/v1/auth/sso-providers/{providerId}/auto-linking \ -H "Cookie: zerobyte.session=..." \ -H "Content-Type: application/json" \ -d '{ "enabled": true }'
Update whether SSO sign-in can auto-link existing accounts by email.
Parameters: Whether to enable auto-linking
Get Admin Users curl -X GET http://localhost:4096/api/v1/auth/admin-users \ -H "Cookie: zerobyte.session=..."
List all users for admin management. Requires global admin role.
Response: Array of user objects User role (“user” or “admin”)
Whether the user is banned
Linked authentication accounts
Get Organization Members curl -X GET http://localhost:4096/api/v1/auth/org-members \ -H "Cookie: zerobyte.session=..."
Get members of the active organization. Requires organization admin role.
Response: Organization members Organization role (“member” or “admin”)
Update Member Role curl -X PATCH http://localhost:4096/api/v1/auth/org-members/{memberId}/role \ -H "Cookie: zerobyte.session=..." \ -H "Content-Type: application/json" \ -d '{ "role": "admin" }'
Update a member’s role in the organization.
Parameters: New role: “member” or “admin”
Remove Organization Member curl -X DELETE http://localhost:4096/api/v1/auth/org-members/{memberId} \ -H "Cookie: zerobyte.session=..."
Remove a member from the organization. Cannot remove the organization owner.
Parameters: 