API Reference
API Reference
REST API endpoints for authentication and administration.
Base URLs
| Environment | Auth Runtime | Control Plane |
|---|---|---|
| Production | https://auth.zautha.com | https://api.zautha.com |
| Development | http://localhost:5001 | http://localhost:5000 |
Authentication
Public endpoints (/v1/auth/*) require the project key header:
X-Zautha-Project-Key: pk_live_xxxAdmin endpoints (/v1/admin/*) require a valid admin session (cookie) or admin JWT:
Authorization: Bearer <admin_token>Error Format (RFC 7807)
All errors follow RFC 7807 Problem Details:
{
"type": "https://zautha.com/errors/validation-error",
"title": "Validation Error",
"status": 400,
"detail": "The email field is not a valid email address.",
"instance": "/v1/auth/sign-up",
"traceId": "00-abc123-def456-01",
"errors": {
"email": ["Invalid email format"]
}
}Rate Limits
| Endpoint | Limit | Window | Key |
|---|---|---|---|
POST /v1/auth/sign-in | 5 | 1 min | IP + email |
POST /v1/auth/sign-up | 3 | 1 min | IP |
POST /v1/auth/password/forgot | 3 | 1 hour | |
| Global | 1000 | 1 min | IP |
After 5 consecutive failed sign-in attempts, the account is locked for 15 minutes (progressive: 15m, 30m, 1h, 2h).
Sections
- Authentication — Sign up, sign in, sessions, email verification, password reset
- OAuth — Social login with Google, GitHub, Microsoft, Apple
- MFA — TOTP, SMS multi-factor authentication
- Passkeys — WebAuthn passwordless authentication
- Admin — Tenant, project, user, organization management