Auth

Accounts & sessions — signup, login, passkeys, MFA, magic links, password & email flows.

Endpoints · 42

GET/v1/auth/auditclient.auth.auditLog

Read the project's auth audit log (newest first). Bearer, project-scoped.

auditLog(input?: { email?: string; event?: AuthAuditEventName; limit?: number; }): Promise<{ entries: AuthAuditEntry[]; }>;

POST/v1/auth/deletion/forceclient.auth.deletion.force

force(input: { token: string; }): Promise<{ deleted: boolean; reason?: "invalid" | "used" | "expired"; }>;

POST/v1/auth/deletion/requestclient.auth.deletion.requestDeletion

Queue a user for deletion (30-day grace) + send the deletion email.

requestDeletion(input: { userId: string; }): Promise<{ scheduledFor: string; }>;

POST/v1/auth/deletion/undoclient.auth.deletion.undo

undo(input: { token: string; }): Promise<{ undone: boolean; reason?: "invalid" | "used" | "expired"; }>;

POST/v1/auth/email-verify/confirmclient.auth.confirmEmailVerify

On success returns a session token — user is immediately signed in.

confirmEmailVerify(input: { token: string; }): Promise<EmailVerifyConfirmResult>;

POST/v1/auth/email-verify/resendclient.auth.resendEmailVerify

Always returns { sent: true } — never reveals whether the token mapped to a real user or whether the rate-limit was tripped (anti-enumeration).

resendEmailVerify(input: { token: string; }): Promise<{ sent: true; }>;

POST/v1/auth/email-verify/resend-by-emailclient.auth.resendVerifyByEmail

Resend the verify mail BY EMAIL (no token) — powers a "resend confirmation" action on an `email_not_verified` login. Always { sent: true } (anti-enum).

resendVerifyByEmail(input: { email: string; }): Promise<{ sent: true; }>;

POST/v1/auth/email/change/confirmclient.auth.email.changeConfirm

Confirm an email change with the token from the new-address email. PUBLIC.

changeConfirm(input: { token: string; }): Promise<{ changed: boolean; email?: string; reason?: "invalid" | "used" | "expired" | "email_taken"; }>;

POST/v1/auth/email/change/requestclient.auth.email.changeRequest

Request an email change — verifies the current password (step-up) and mails a confirm-link to the NEW address. Session-gated.

changeRequest(input: { sessionToken: string; currentPassword: string; newEmail: string; }): Promise<{ sent: true; }>;

POST/v1/auth/loginclient.auth.login

Throws 403 `email_not_verified` if the user hasn't confirmed yet.

login(input: { email: string; password: string; }): Promise<LoginResult>;

POST/v1/auth/logoutclient.auth.logout

logout(input: { sessionToken: string; }): Promise<LogoutResult>;

POST/v1/auth/magic-link/confirmclient.auth.confirmMagicLink

Public — no Bearer. On success issues a session; does NOT revoke other sessions (magic-link is an alternative sign-in, not credential rotation).

confirmMagicLink(input: { token: string; }): Promise<MagicLinkConfirmResult>;

POST/v1/auth/magic-link/requestclient.auth.requestMagicLink

Auto-signup: if the email is unknown, a passwordless account is created (password_hash=null). Returns 429 with retry-after when rate-limited (1/min + 5/h per (email, project)).

requestMagicLink(input: { email: string; }): Promise<{ sent: true; }>;

POST/v1/auth/magic-link/resendclient.auth.resendMagicLink

resendMagicLink(input: { token: string; }): Promise<{ sent: true; }>;

GET/v1/auth/meclient.auth.me

me(input: { sessionToken: string; }): Promise<MeResult>;

POST/v1/auth/mfa/confirmclient.auth.mfa.confirm

confirm(input: { sessionToken: string; code: string; }): Promise<{ ok: true; recoveryCodes: string[]; }>;

POST/v1/auth/mfa/disableclient.auth.mfa.disable

disable(input: { sessionToken: string; code: string; }): Promise<{ ok: true; }>;

POST/v1/auth/mfa/enrollclient.auth.mfa.enroll

enroll(input: { sessionToken: string; }): Promise<{ secret: string; otpauthUri: string; }>;

GET/v1/auth/mfa/statusclient.auth.mfa.status

status(input: { sessionToken: string; }): Promise<{ enabled: boolean; recoveryCodesRemaining: number; }>;

POST/v1/auth/mfa/verifyclient.auth.mfa.verify

Finish a two-step login. `code` may be a TOTP code or a recovery code.

verify(input: { challengeToken: string; code: string; }): Promise<SessionResult>;

POST/v1/auth/onboardclient.auth.onboard

ADRI-97 — headless onboarding: creates the user AND mints its initial api-token in ONE call, returning the credential ONCE. The token is dormant until the owner verifies their email (a verify-mail is sent).

onboard(input: { email: string; password: string; tokenName?: string; env?: "live" | "test"; }): Promise<OnboardResult>;

GET/v1/auth/passkeys/config/getclient.auth.passkeys.config.get

get(): Promise<PasskeyConfigGetResult>;

POST/v1/auth/passkeys/config/setclient.auth.passkeys.config.set

One-time per project: set the Relying Party id + allowed origins.

set(input: { rpId: string; rpName?: string; origins: string[]; }): Promise<{ ok: true; }>;

POST/v1/auth/passkeys/deleteclient.auth.passkeys.delete

Delete a passkey (session). 409 `would_lock_out` if it's the last one and the user has no password (the always-≥1-method invariant).

delete(input: { sessionToken: string; passkeyId: string; }): Promise<{ ok: true; }>;

GET/v1/auth/passkeys/listclient.auth.passkeys.list

List the logged-in user's passkeys (session).

list(input: { sessionToken: string; }): Promise<{ passkeys: PasskeyInfo[]; }>;

POST/v1/auth/passkeys/login/finishclient.auth.passkeys.login.finish

Finish — verifies the assertion + issues a session. No extra MFA step (a passkey is already strong auth). Blocks (403) if the email isn't verified.

finish(input: { assertionResponse: PasskeyCeremonyResponse; }): Promise<SessionResult>;

POST/v1/auth/passkeys/login/startclient.auth.passkeys.login.start

Begin usernameless login — returns request options for startAuthentication().

start(): Promise<{ options: PasskeyCeremonyOptions; }>;

POST/v1/auth/passkeys/register/finishclient.auth.passkeys.register.finish

finish(input: { sessionToken: string; attestationResponse: PasskeyCeremonyResponse; name?: string; }): Promise<{ ok: true; passkeyId: string; }>;

POST/v1/auth/passkeys/register/startclient.auth.passkeys.register.start

Begin registering an extra passkey on the logged-in user (session).

start(input: { sessionToken: string; }): Promise<{ options: PasskeyCeremonyOptions; }>;

POST/v1/auth/password-reset/confirmclient.auth.confirmPasswordReset

On success: password updated, ALL existing sessions revoked, a fresh one is issued on this device. Also marks email as verified if it was not.

confirmPasswordReset(input: { token: string; newPassword: string; }): Promise<PasswordResetConfirmResult>;

POST/v1/auth/password-reset/requestclient.auth.requestPasswordReset

Always returns { sent: true } regardless of whether the email is on file.

requestPasswordReset(input: { email: string; }): Promise<{ sent: true; }>;

POST/v1/auth/password-reset/resendclient.auth.resendPasswordReset

resendPasswordReset(input: { token: string; }): Promise<{ sent: true; }>;

POST/v1/auth/password/changeclient.auth.password.change

Change the password with step-up: requires the CURRENT password. 403 `invalid_current_password` if it's wrong; 409 `no_password` if the account has none yet (use set()).

change(input: { sessionToken: string; currentPassword: string; newPassword: string; }): Promise<{ ok: true; }>;

POST/v1/auth/password/clearclient.auth.password.clear

Remove the password (become passwordless). 409 `would_lock_out` if the user has no passkey (the always-≥1-method invariant).

clear(input: { sessionToken: string; }): Promise<{ ok: true; }>;

POST/v1/auth/password/setclient.auth.password.set

Set (or change) the logged-in user's password — lets a passkey-only user add a password.

set(input: { sessionToken: string; newPassword: string; }): Promise<{ ok: true; }>;

POST/v1/auth/policy/getclient.auth.policy.get

Read the EFFECTIVE policy for a scope (falls back to the global default when the scope has no explicit policy yet).

get(input?: { scope?: string; }): Promise<{ policy: AuthPolicy; }>;

POST/v1/auth/policy/setclient.auth.policy.set

Upsert the policy for a scope (partial — only supplied fields change). Rejects 400 `would_lock_out` if it would disable every login method, and 400 `invalid_session_duration` for an out-of-range duration.

set(input: { scope?: string; } & AuthPolicyUpdate): Promise<{ policy: AuthPolicy; }>;

POST/v1/auth/signupclient.auth.signup

Creates the user (email_verified_at=null) and triggers a verify email. NO session is returned — login is blocked until the user verifies.

signup(input: { email: string; password: string; }): Promise<SignupResult>;

POST/v1/auth/signup/passkey/finishclient.auth.passkeys.signup.finish

Finish — creates the passwordless user + sends a verify email. NO session (login stays blocked until the email is verified, like password signup).

finish(input: { email: string; attestationResponse: PasskeyCeremonyResponse; }): Promise<SignupResult>;

POST/v1/auth/signup/passkey/startclient.auth.passkeys.signup.start

Begin passwordless signup — returns creation options for startRegistration().

start(input: { email: string; }): Promise<{ options: PasskeyCeremonyOptions; }>;

GET/v1/auth/users/by-emailclient.auth.findUserIdByEmail

Resolve one of your own project's users to its Adrifact userId by email. Throws 404 if not found. Project-scoped (Bearer).

findUserIdByEmail(input: { email: string; }): Promise<{ userId: string; email: string; }>;

POST/v1/auth/validate-sessionclient.auth.validateSession

validateSession(input: { sessionToken: string; }): Promise<ValidateSessionResult>;

Widgets · 19

Embeddable React components for this App. Click one to preview its UI. Previews render the component only — live data calls are disabled here (wire the Provider's basePath to a connector, as the Console does, to make them functional).