Auth API
v1.0 • REST • JSON
Authentication endpoints for user registration, login, token refresh, and logout. Register and login are public; refresh-token and logout require a valid refresh token.
Quick Reference
Token Response Schema
| Field | Type | Endpoint | Notes |
|---|---|---|---|
accessToken |
string | login, refresh-token | Short-lived JWT bearer token |
refreshToken |
string | login, refresh-token | Long-lived token, valid for 7 days |
id |
integer | register | Auto-generated user identifier |
email |
string | register | Must be unique � 400 if already exists |
createdAt |
datetime | register | ISO 8601 UTC timestamp |
/api/auth/register
200 OK
Register
Creates a new user account with the provided details. Returns the newly created user object � including the auto-generated ID and timestamp. Returns 400 Bad Request if the email address is already in use. No authentication required.
| Field | Type | Required | Description |
|---|---|---|---|
firstName |
string | Required | User's given name |
lastName |
string | Required | User's family name |
email |
string | Required | Unique email address |
password |
string | Required | Plaintext password for the account |
Content-Type : application/json/api/auth/login
200 OK
Login
Authenticates a user with email and password. On success, returns a short-lived accessToken (JWT) and a long-lived refreshToken valid for 7 days. Any previously stored refresh token for the user is replaced. Returns 401 Unauthorized for invalid credentials. No authentication required.
| Field | Type | Required | Description |
|---|---|---|---|
email |
string | Required | Registered email address |
password |
string | Required | Account password |
Content-Type : application/json/api/auth/refresh-token
200 OK
Refresh Token
Exchanges a valid refresh token for a new pair of accessToken and refreshToken. The old refresh token is replaced on success. Returns 401 Unauthorized if the refresh token is missing, invalid, or has expired.
| Field | Type | Required | Description |
|---|---|---|---|
refreshToken |
string | Required | The refresh token received from login or a previous refresh |
Content-Type : application/json/api/auth/logout
200 OK
Logout
Invalidates the provided refresh token by clearing it from the user record. After a successful logout the refresh token can no longer be used to obtain new access tokens. Returns 400 Bad Request if the token is missing or not recognised.
| Field | Type | Required | Description |
|---|---|---|---|
refreshToken |
string | Required | The refresh token to invalidate |
Content-Type : application/json"Logged out successfully"Error Responses
400 / 401
Error Responses
Auth endpoints return plain string error messages in the response body (not JSON objects). Use the status code to determine how to handle the error client-side.
| Status | Endpoint | Message | Cause |
|---|---|---|---|
| 400 | /register |
"Email already exists" |
Email is already registered |
| 401 | /login |
"Invalid credentials" |
Email or password is incorrect |
| 401 | /refresh-token |
"Invalid or expired refresh token" |
Token not found or past expiry |
| 400 | /logout |
"Refresh token is required" |
Body is empty or refreshToken is null |
| 400 | /logout |
"Invalid token" |
No user found with that refresh token |