Skip to main content

Documentation Index

Fetch the complete documentation index at: https://alphabet-06152314.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

This endpoint signs a user in with their email and password. On success it returns a JWT access token and a refresh token. When multi-factor authentication is enabled on the account, the response contains an mfaToken field instead of the token pair — you must complete sign-in via POST /api/v1/auth/mfa/login before the user is fully authenticated.

POST /api/v1/auth/login

Authorization: None required

Request body

email
string
required
The user’s registered email address.
password
string
required
The user’s password.
useCookies
boolean
default:"false"
When true, the server writes HttpOnly auth cookies (access_token and refresh_token) to the response in addition to returning the tokens in the body. Use this for browser-based clients.

Responses

200 OKAuthResponseDto
accessToken
string
A signed JWT. Valid for 15 minutes by default. Include this in the Authorization: Bearer header for authenticated requests.
refreshToken
string
An opaque refresh token. Valid for 7 days by default. Use it with POST /api/v1/auth/refresh-token to obtain a new token pair without re-authenticating.
400 Bad RequestProblemDetails Returned when login fails. Common causes include invalid credentials, an unconfirmed email address, or a locked account.
If MFA is enabled on the account, the 200 response body will contain an mfaToken field instead of accessToken and refreshToken. Pass that token to POST /api/v1/auth/mfa/login along with the user’s verification code to complete sign-in.

Example

curl -X POST https://localhost:5001/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "Password123!",
    "useCookies": false
  }'

POST /api/v1/auth/logout

Revokes the refresh token and clears any auth cookies. After calling this endpoint, the access token remains technically valid until it expires; do not rely on the access token being unusable immediately after logout. Authorization: Bearer <accessToken> required

Request body

refreshToken
string
The refresh token to revoke. If omitted and useCookies was true at login, the token is read from the auth cookie automatically.
useCookies
boolean
default:"false"
When true, auth cookies are cleared from the response.

Responses

200 OK — Session ended. Refresh token revoked and cookies cleared. 400 Bad RequestProblemDetails — Logout failed (e.g., token not found or already revoked).

POST /api/v1/auth/forgot-password

Starts the forgot-password flow. If an account with the given email exists, a password reset link is sent to that address via the configured communication provider. Authorization: None required

Request body

email
string
required
The email address associated with the account.

Responses

200 OK — Always returned, regardless of whether the email address is registered. This prevents account enumeration.
The response is intentionally generic. Do not use the 200 status to infer whether an account exists.

POST /api/v1/auth/reset-password

Completes the forgot-password flow by applying a new password using the reset token received via email. Authorization: None required

Request body

userId
string
required
The user’s identifier, included in the reset link.
token
string
required
The password reset token, included in the reset link.
newPassword
string
required
The new password. Must meet the configured complexity requirements.

Responses

200 OK — Password reset successfully. 400 Bad RequestProblemDetails — Reset failed. The token may be invalid, expired, or the new password may not meet complexity requirements.

POST /api/v1/auth/change-password

Changes the password for the currently authenticated user. Unlike the admin reset, this endpoint requires the user to provide their current password. Authorization: Bearer <accessToken> required

Request body

currentPassword
string
required
The user’s existing password.
newPassword
string
required
The desired new password. Must meet the configured complexity requirements.

Responses

200 OK — Password changed successfully. 400 Bad RequestProblemDetails — Change failed. Likely cause: incorrect current password or new password fails complexity checks.

GET /api/v1/auth/me

Returns the identity and role claims for the currently authenticated user. Authorization: Bearer <accessToken> required

Responses

200 OKCurrentUserDto
userId
string
The authenticated user’s unique identifier.
email
string
The authenticated user’s email address.
roles
string[]
The list of role claims resolved from the bearer token or auth cookie.
400 Bad RequestProblemDetails — The current user could not be resolved (e.g., token is malformed or claims are missing).

Example

curl https://localhost:5001/api/v1/auth/me \
  -H "Authorization: Bearer <accessToken>"