Auth API
Auth routes support dashboard account lifecycle and session management.Endpoint matrix
| Area | Method | Path | Purpose |
|---|---|---|---|
| Session | GET | /auth/me | Return current user + workspace summary |
| Session | GET | /auth/session | Return raw session/user object |
| Session | POST | /auth/logout | End current session |
| Session | POST | /auth/sign-out | Alias logout path |
| Credentials | POST | /auth/sign-up/email | Register email/password account |
| Credentials | POST | /auth/sign-in/email | Sign in email/password account |
| Credentials | POST | /auth/forget-password | Start password reset |
| Credentials | POST | /auth/set-password | Set password for social-only account |
| Verification | GET | /auth/verify-email | Verify account and finalize post-verification setup |
| Verification | POST | /auth/resend-verification | Re-issue verification email |
| Social | GET | /auth/callback/:provider | OAuth callback handling |
| Connected auth | GET | /auth/linked-accounts | List linked providers |
| Connected auth | POST | /auth/unlink-provider | Unlink provider |
| Security | GET | /auth/two-factor/status | Read 2FA status |
Security controls
- Turnstile verification on selected sensitive flows when configured.
- Password complexity enforced for credential setup/reset.
- Account lockout after repeated failed login attempts.
- CORS allowlist enforcement on auth responses.
Registration and verification behavior
- Email signup creates user in unverified state.
- Existing unverified email signup attempts can trigger verification resend.
- Existing verified email signup is rejected as duplicate.
- Verification endpoint finalizes account state.
Social auth behavior
- OAuth callback supports provider-linked login/account linking.
- Social and credential methods can coexist on one account.
- Provider unlink is restricted to prevent account lockout scenarios.
Authentication mode
These endpoints are session-oriented account APIs. Use API keys for workspace automation APIs, not account-auth lifecycle routes.Typical failures
400/422validation errors401 UNAUTHORIZEDinvalid credentials/session403 FORBIDDENbot check failure or policy violation409 USER_EXISTSduplicate verified account- lockout-related auth denial after repeated failed attempts
/user-guides/manual/workspace/security-and-compliance/user-guides/manual/workspace/settings-and-preferences/user-guides/manual/workspace/settings-and-preferences