Auth Endpoints
The authentication endpoints handle user login, registration, email verification, token refresh, and logout. These are the only IAM endpoints that do not require a Bearer token. All endpoints are served by AuthController at /api/v1/auth.
Endpoints
| Method | Endpoint | Description |
|---|---|---|
| POST | /api/v1/auth/login | Authenticate with email and password |
| POST | /api/v1/auth/mfa/verify | Complete MFA challenge after login |
| POST | /api/v1/auth/register | Create a new user account |
| POST | /api/v1/auth/verify-email | Verify email with code |
| POST | /api/v1/auth/resend-verification | Resend verification email |
| POST | /api/v1/auth/refresh | Obtain new access token via refresh token |
| POST | /api/v1/auth/logout | Revoke refresh token |
POST /api/v1/auth/login
Authenticates a user with email and password. If MFA is enabled, returns an MfaChallengeResponse instead of tokens.
{
"email": "user@example.com",
"password": "securePassword123"
}Responses:
| Status | Description |
|---|---|
| 200 | AuthResponse with tokens, or MfaChallengeResponse if MFA is required |
| 401 | Invalid credentials |
| 423 | Account locked after too many failed attempts |
POST /api/v1/auth/mfa/verify
Completes the login flow by verifying an MFA code (TOTP, SMS, or backup code).
{
"challengeId": "uuid-challenge-id",
"code": "123456"
}| Status | Description |
|---|---|
| 200 | AuthResponse with access and refresh tokens |
| 400 | Invalid or expired challenge |
| 401 | Invalid verification code |
POST /api/v1/auth/register
Creates a new user account and returns access and refresh tokens.
{
"email": "newuser@example.com",
"password": "securePassword123",
"firstName": "Jane",
"lastName": "Smith"
}| Status | Description |
|---|---|
| 200 | AuthResponse with tokens and user profile |
| 400 | Invalid input or email already registered |
POST /api/v1/auth/refresh
Obtains a new access token using a valid refresh token.
{
"refreshToken": "eyJhbGciOiJIUzI1NiJ9..."
}| Status | Description |
|---|---|
| 200 | AuthResponse with new access token |
| 401 | Invalid or expired refresh token |
POST /api/v1/auth/logout
Revokes the refresh token and terminates the session.
{
"refreshToken": "eyJhbGciOiJIUzI1NiJ9..."
}| Status | Description |
|---|---|
| 204 | Logout successful, no content returned |
Security Notes
- Client IP is extracted from
X-Forwarded-FororRemoteAddrfor audit logging User-Agentheader is captured for device fingerprinting- Failed login attempts trigger account lockout after the configured threshold (default: 5 attempts, 30-minute lockout)