Auth API
Base path: /api/auth
All auth endpoints are public (no token required) unless noted.
Login
Organisation User Login
POST /api/auth/org/login
Request:
{
"email": "[email protected]",
"password": "your-password"
}
Response 200:
{
"accessToken": "eyJhbGci...",
"refreshToken": "eyJhbGci...",
"tokenType": "Bearer",
"expiresIn": 3600
}
Errors:
| Code | Reason |
|---|---|
| 401 | Invalid credentials |
| 403 | Account suspended or banned |
| 423 | Account locked (too many failed attempts) |
System User Login
POST /api/auth/system/login
Same request/response shape as org login. Returns a JWT with userType: "SYSTEM".
Register
POST /api/auth/org/register
Request:
{
"email": "[email protected]",
"password": "strong-password",
"firstName": "Jane",
"lastName": "Doe"
}
Response 201: User created. Verification email sent automatically.
Token Management
Refresh Access Token
POST /api/auth/tokens/refresh
Request:
{
"refreshToken": "eyJhbGci..."
}
Response 200:
{
"accessToken": "eyJhbGci...",
"refreshToken": "eyJhbGci...",
"tokenType": "Bearer",
"expiresIn": 3600
}
Revoke Token
POST /api/auth/tokens/revoke
Authorization: Bearer <accessToken>
Invalidates the refresh token associated with the current session.
Password Reset
Request Reset Code
POST /api/auth/password-reset/request
{ "email": "[email protected]" }
Sends a 6-digit verification code to the email address. Always returns 200 (to prevent email enumeration).
Verify Code and Reset Password
POST /api/auth/password-reset/verify
{
"email": "[email protected]",
"code": "123456",
"newPassword": "new-strong-password"
}
Resend Code
POST /api/auth/password-reset/resend
{ "email": "[email protected]" }
Health
GET /api/auth/health
{ "status": "UP" }