API Routes

All routes are relative to the auth mount point (e.g., /auth when using nest("/auth", ...)).

For interactive API documentation with request/response schemas, see the OpenAPI Reference.

Core Endpoints

Method	Path	Auth	Description
GET	`/ok`	No	Health check (`{ "status": true }`)
GET	`/reference/openapi.json`	No	OpenAPI specification
POST	`/update-user`	Yes	Update user profile
POST	`/delete-user`	Yes	Delete user account
POST	`/change-email`	Yes	Change email address
GET	`/delete-user/callback`	No	Confirm deletion via email token

Method	Path	Auth	Description
POST	`/sign-up/email`	No	Register with email and password
POST	`/sign-in/email`	No	Sign in with email and password
POST	`/sign-in/username`	No	Sign in with username and password

Method	Path	Auth	Description
GET	`/get-session`	Yes	Get current session and user
POST	`/get-session`	Yes	Get current session (alt method)
POST	`/sign-out`	Yes	Revoke current session
GET	`/list-sessions`	Yes	List all user sessions
POST	`/revoke-session`	Yes	Revoke a specific session by token
POST	`/revoke-sessions`	Yes	Revoke all user sessions
POST	`/revoke-other-sessions`	Yes	Revoke all sessions except current

Method	Path	Auth	Description
POST	`/forget-password`	No	Request password reset email
POST	`/reset-password`	No	Reset password with token
GET	`/reset-password/{token}`	No	Validate a reset token
POST	`/change-password`	Yes	Change password (requires current)
POST	`/set-password`	Yes	Set password for OAuth-only users

Method	Path	Auth	Description
POST	`/send-verification-email`	Yes	Send verification email
GET	`/verify-email`	No	Verify email with token (query param)

Method	Path	Auth	Description
GET	`/list-accounts`	Yes	List linked accounts
POST	`/unlink-account`	Yes	Unlink an account provider

Method	Path	Auth	Description
POST	`/sign-in/social`	No	Start OAuth sign-in flow
GET	`/callback/{provider}`	No	OAuth provider callback
POST	`/link-social`	Yes	Link a social account to current user
POST	`/get-access-token`	Yes	Get stored OAuth access token
POST	`/refresh-token`	Yes	Refresh OAuth access token

Method	Path	Auth	Description
POST	`/two-factor/enable`	Yes	Enable 2FA (requires password)
POST	`/two-factor/disable`	Yes	Disable 2FA (requires password)
POST	`/two-factor/get-totp-uri`	Yes	Get TOTP URI for authenticator app
POST	`/two-factor/verify-totp`	No*	Verify TOTP code during sign-in
POST	`/two-factor/send-otp`	No*	Send OTP via email
POST	`/two-factor/verify-otp`	No*	Verify OTP code
POST	`/two-factor/generate-backup-codes`	Yes	Generate new backup codes
POST	`/two-factor/verify-backup-code`	No*	Verify backup code during sign-in

*These endpoints use a pending verification token instead of a session token.

Method	Path	Auth	Description
POST	`/organization/create`	Yes	Create an organization
POST	`/organization/update`	Yes	Update organization details
POST	`/organization/delete`	Yes	Delete an organization
GET	`/organization/list`	Yes	List user's organizations
GET	`/organization/get-full-organization`	Yes	Get org with members and invitations
POST	`/organization/check-slug`	Yes	Check slug availability
POST	`/organization/set-active`	Yes	Set active organization on session
POST	`/organization/leave`	Yes	Leave an organization
GET	`/organization/get-active-member`	Yes	Get current member in active org
GET	`/organization/list-members`	Yes	List organization members
POST	`/organization/remove-member`	Yes	Remove a member
POST	`/organization/update-member-role`	Yes	Change a member's role
POST	`/organization/invite-member`	Yes	Invite user by email
GET	`/organization/get-invitation`	Yes	Get invitation details
GET	`/organization/list-invitations`	Yes	List org's pending invitations
GET	`/organization/list-user-invitations`	Yes	List user's pending invitations
POST	`/organization/accept-invitation`	Yes	Accept an invitation
POST	`/organization/reject-invitation`	Yes	Reject an invitation
POST	`/organization/cancel-invitation`	Yes	Cancel a pending invitation
POST	`/organization/has-permission`	Yes	Check RBAC permission

Method	Path	Auth	Description
POST	`/admin/set-role`	Admin	Set user role
POST	`/admin/create-user`	Admin	Create a new user
GET	`/admin/list-users`	Admin	List users with search/filter/sort
POST	`/admin/list-user-sessions`	Admin	List user's sessions
POST	`/admin/ban-user`	Admin	Ban a user
POST	`/admin/unban-user`	Admin	Unban a user
POST	`/admin/impersonate-user`	Admin	Start impersonating a user
POST	`/admin/stop-impersonating`	Admin	Stop impersonation
POST	`/admin/revoke-user-session`	Admin	Revoke a specific session
POST	`/admin/revoke-user-sessions`	Admin	Revoke all user sessions
POST	`/admin/remove-user`	Admin	Permanently delete a user
POST	`/admin/set-user-password`	Admin	Reset a user's password
POST	`/admin/has-permission`	Yes	Check admin permission

Method	Path	Auth	Description
POST	`/api-key/create`	Yes	Create a new API key
GET	`/api-key/get`	Yes	Get API key by ID
POST	`/api-key/update`	Yes	Update an API key
POST	`/api-key/delete`	Yes	Delete an API key
GET	`/api-key/list`	Yes	List user's API keys

Method	Path	Auth	Description
GET	`/passkey/generate-register-options`	Yes	Get WebAuthn registration options
POST	`/passkey/verify-registration`	Yes	Verify and store a new passkey
POST	`/passkey/generate-authenticate-options`	No	Get WebAuthn authentication options
POST	`/passkey/verify-authentication`	No	Verify passkey and create session
GET	`/passkey/list-user-passkeys`	Yes	List user's passkeys
POST	`/passkey/delete-passkey`	Yes	Delete a passkey
POST	`/passkey/update-passkey`	Yes	Rename a passkey

Authenticated endpoints require a session token sent as:

Admin endpoints additionally require the user to have the admin role (configurable, default: "admin").