API Reference
Authentication
Email/password auth, sessions, email verification, and password reset endpoints.
Sign Up
POST /v1/auth/sign-up{
"email": "user@example.com",
"password": "secure-password",
"username": "johndoe",
"metadata": { "name": "John Doe" }
}Response 201:
{
"user": { "id": "...", "email": "user@example.com", "status": "active" },
"session": { "id": "...", "access_token": "...", "expires_at": "..." }
}Sign In
POST /v1/auth/sign-in{
"identifier": "user@example.com",
"password": "secure-password"
}Response 200 (success):
{
"user": { "id": "...", "email": "user@example.com" },
"session": { "id": "...", "access_token": "..." }
}Response 200 (MFA required):
{
"mfa_required": true,
"mfa_token": "mfa_xxx",
"available_factors": ["totp", "sms"]
}Sign Out
POST /v1/auth/sign-outRequires session cookie. Returns 204 No Content.
Refresh Token
POST /v1/auth/refreshUses zautha_refresh_token cookie. Returns a new access token.
{
"access_token": "eyJ...",
"expires_in": 900
}Get Current User
GET /v1/auth/meAlways returns 200. Returns { "user": null } when unauthenticated.
{
"user": { "id": "...", "email": "...", "is_admin": false },
"active_sessions": 2,
"organizations": [{ "id": "...", "name": "...", "role": "admin" }]
}Sessions
GET /v1/auth/sessions — List all active sessions
DELETE /v1/auth/sessions/{id} — Revoke a specific session (204)Email Verification
POST /v1/auth/verify-email/send — Send verification email (202)
POST /v1/auth/verify-email/confirm — Confirm with token (200)Password Reset
POST /v1/auth/password/forgot — Send reset email (202)
POST /v1/auth/password/reset/validate — Validate token (200)
POST /v1/auth/password/reset — Reset password (200)Magic Link
POST /v1/auth/magic-link/send — Send magic link email (202)
GET /v1/auth/magic-link/verify — Verify and create session (302 redirect)