Authentication endpoints for signup, login, verification, and session management.

Auth API

Authentication endpoints for magic link email auth.

Base path: /api/v1/auth

POST /api/v1/auth/signup
Content-Type: application/json

{ "email": "[email protected]" }

Creates a new user (or reuses existing) and sends a magic link. The response does not reveal whether the email was already registered.

{ "ok": true, "message": "If this email is valid, a magic link has been sent." }

Log In

POST /api/v1/auth/login
Content-Type: application/json

{ "email": "[email protected]" }

Sends a magic link to an existing user. Rate limited to 3 requests per email per 15-minute window.

{ "ok": true, "message": "If this email is registered, a magic link has been sent." }

{
  "error": {
    "code": "RATE_LIMITED",
    "message": "Too many magic link requests. Try again later.",
    "status": 429
  }
}

GET /api/v1/auth/verify?token={token}

Verifies a magic link token and creates a session. Tokens are single-use and expire after 15 minutes.

{ "ok": true, "message": "Authenticated successfully" }

Sets __Host-session cookie (httpOnly, secure, SameSite=Lax, 30-day expiry).

GET /api/v1/auth/me

Returns the authenticated user's profile based on the session cookie. No Authorization header needed.

{ "id": "user_01abc...", "email": "[email protected]", "created_at": "2026-01-01T00:00:00Z" }

Returned when no valid session cookie is present.

POST /api/v1/auth/logout

Destroys the current session and clears the session cookie.

{ "ok": true, "message": "Logged out successfully" }