Authentication API
Register, login, and refresh token endpoints.
The authentication endpoints are public and do not require any authentication.
Register
Create a new user account and organization.
POST
/api/auth/registerRequest body
| Name | Type | Default | Description |
|---|---|---|---|
organizationName* | string | — | Name of the new organization |
name* | string | — | User's display name |
email* | string | — | Email address (must be unique) |
password* | string | — | Password (minimum 8 characters) |
Request
{
"organizationName": "My Company",
"name": "Jane Doe",
"email": "jane@example.com",
"password": "securepass123"
}Response 201
Response
{
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs...",
"user": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"email": "jane@example.com",
"name": "Jane Doe",
"role": "OWNER"
},
"organization": {
"id": "660e8400-e29b-41d4-a716-446655440000",
"name": "My Company",
"slug": "my-company"
}
}Login
Authenticate an existing user.
POST
/api/auth/loginRequest body
| Name | Type | Default | Description |
|---|---|---|---|
email* | string | — | Registered email address |
password* | string | — | Account password |
Request
{
"email": "jane@example.com",
"password": "securepass123"
}Response 200
Response
{
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs...",
"userId": "550e8400-e29b-41d4-a716-446655440000",
"organizationId": "660e8400-e29b-41d4-a716-446655440000"
}Refresh token
Get a new access token using a valid refresh token.
POST
/api/auth/refreshRequest body
| Name | Type | Default | Description |
|---|---|---|---|
refreshToken* | string | — | A valid refresh token |
Request
{
"refreshToken": "eyJhbGciOiJIUzI1NiIs..."
}Response 200
Response
{
"accessToken": "eyJhbGciOiJIUzI1NiIs...",
"refreshToken": "eyJhbGciOiJIUzI1NiIs...",
"userId": "550e8400-e29b-41d4-a716-446655440000",
"organizationId": "660e8400-e29b-41d4-a716-446655440000"
}Token details
| Token | Algorithm | Lifetime | Claims | |---|---|---|---| | Access token | HMAC-SHA256 | 1 hour | userId (subject), email | | Refresh token | HMAC-SHA256 | 24 hours | userId (subject) |