Skip to main content

Authentication API

Endpoints for user authentication, registration, and session management.

Endpoints

POST /api/auth/register

Create a new user account.

Body:

{
  "email": "user@example.com",
  "password": "securepassword",
  "name": "Display Name"
}

Response: 201 Created

{
  "user": {
    "id": "uuid",
    "email": "user@example.com",
    "name": "Display Name",
    "role": "MEMBER"
  },
  "accessToken": "jwt-access-token",
  "refreshToken": "jwt-refresh-token"
}

POST /api/auth/login

Authenticate with email and password.

Body:

{
  "email": "user@example.com",
  "password": "securepassword",
  "rememberMe": false
}

rememberMe is optional (defaults to false). When true, the refresh token cookie persists for 30 days. When false, it is a session cookie that expires when the browser closes.

Response: 200 OK

Returns the same structure as registration, plus sets authentication cookies for WebSocket connections.

POST /api/auth/refresh

Exchange a refresh token for a new access token.

Body:

{
  "refreshToken": "current-refresh-token"
}

Response: 200 OK

{
  "accessToken": "new-jwt-access-token",
  "refreshToken": "new-jwt-refresh-token"
}

POST /api/auth/logout

Invalidate the current refresh token and clear authentication cookies.

Response: 200 OK

GET /api/auth/me

Get the currently authenticated user's profile.

Headers: Requires Authorization: Bearer <token>

Response: 200 OK

{
  "id": "uuid",
  "email": "user@example.com",
  "name": "Display Name",
  "role": "ADMIN",
  "avatarUrl": "https://..."
}

Google OAuth

When Google OAuth is enabled, the following endpoints are available:

GET /api/auth/google

Redirects the user to Google's OAuth consent screen.

GET /api/auth/google/callback

Handles the OAuth callback from Google. On success, creates or links the user account and redirects to the app with authentication cookies set.

Token Behavior

  • Access tokens expire after 15 minutes
  • Refresh tokens are longer-lived: 1 day without "Remember me", 30 days with it
  • Cookie-based auth is used for WebSocket connections, set automatically on login
  • Token refresh preserves the original session duration
  • Tokens are invalidated on logout
  • The Axios interceptor on the frontend automatically refreshes expired access tokens