Authentication

Authentication

JWT-based authentication with access/refresh tokens. Access tokens expire in 15 minutes, refresh tokens in 7 days.

Base URL

/api/v1/auth
POST/register
Register a new user account
{
  "email": "string",
  "username": "string",
  "password": "string",
  "firstName": "string?",
  "lastName": "string?"
}
POST/login
Authenticate and get tokens
{
  "email": "string",
  "password": "string"
}
POST/logoutAuth Required
Invalidate current session
{ "message": "Logged out successfully" }
POST/refresh
Get new access token
{
  "refreshToken": "string"
}
POST/verify-email
Verify email address
{
  "token": "string"
}
POST/resend-verification
Resend verification email
{
  "email": "string"
}
POST/forgot-password
Request password reset
{
  "email": "string"
}
POST/reset-password
Reset password with token
{
  "token": "string",
  "password": "string"
}
POST/change-passwordAuth Required
Change current password
{
  "currentPassword": "string",
  "newPassword": "string"
}

Security Features

  • Account lockout after 5 failed login attempts
  • Password hashed with bcrypt (12 rounds)
  • Password history prevents reuse of last 5 passwords
  • Email verification required for sensitive actions