Auth API
Auto-generated from
openapi-snapshot.json. Do not edit by hand — changes are overwritten byscripts/docs/generate_api_reference.py.
7 endpoints in this group.
GET /api/auth/api-key
Get Api Key
Return the current user’s API key metadata. Auto-creates the key if absent.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
POST /api/auth/api-key/rotate
Rotate Api Key
Rotate (regenerate) the current user’s API key.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
POST /api/auth/logout
Logout
Clear the auth cookie and revoke refresh token family if provided.
Request body: application/json
Responses
| Code | Description |
|---|---|
204 | Successful Response |
422 | Validation Error |
GET /api/auth/me
Me
Return the currently authenticated user’s profile.
Responses
| Code | Description |
|---|---|
200 | Successful Response |
POST /api/auth/refresh
Refresh Token Endpoint
Rotate refresh token and issue a new access+refresh pair.
On first use of a valid token: marks old as used, inserts new token in same family. On reuse of a used token: revokes entire family, returns 401. Feature flag REFRESH_ROTATION_ENABLED=False: issues new access token, same refresh token.
Request body: application/json
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |
POST /api/auth/register
Register
Create a new user account.
Request body: application/json
Responses
| Code | Description |
|---|---|
201 | Successful Response |
422 | Validation Error |
POST /api/auth/token
Login
OAuth2 password flow — sets an httpOnly bp_token cookie and also
returns the token in the body for backwards compatibility.
If the user has any verified MFA method, returns an mfa-pending token instead of a full access token. The frontend must then call POST /api/auth/mfa/challenge with the code.
Request body: application/x-www-form-urlencoded
Responses
| Code | Description |
|---|---|
200 | Successful Response |
422 | Validation Error |