Auth

Request a password reset email

Sends a password reset link to the specified email. Always returns 200 to avoid leaking account existence.

Request Body

application/jsonRequired

Email address

emailstring

curl -X POST "//api.ocore.dev/api/auth/forgot-password" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "string"
  }'

{
  "message": "string"
}

Authenticate with email and password

Validates credentials and returns user data with auth cookies. If TOTP is enabled, returns a partial token requiring 2FA verification.

Request Body

application/jsonRequired

emailstring

passwordstring

curl -X POST "//api.ocore.dev/api/auth/login" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "string",
    "password": "string"
  }'

{
  "partialToken": "string",
  "requiresTOTP": true,
  "user": {}
}

Validates a TOTP code against a partial token to complete 2FA login. Sets auth cookies on success.

Request Body

application/jsonRequired

2FA verification

codestring

partialTokenstring

curl -X POST "//api.ocore.dev/api/auth/login/2fa" \
  -H "Content-Type: application/json" \
  -d '{
    "code": "string",
    "partialToken": "string"
  }'

{
  "user": {}
}

Log out and invalidate session

Revokes the refresh token and clears auth cookies.

curl -X POST "//api.ocore.dev/api/auth/logout"

{
  "message": "string"
}

Begin OAuth authentication flow

Redirects to the OAuth provider's authorization page. Supports login and account-linking flows.

Path Parameters

providerRequiredstring

OAuth provider (github, google)

Query Parameters

flowstring

Flow type: login or link

Default: "login"

curl -X GET "//api.ocore.dev/api/auth/oauth/<string>?flow=login"

Redirect to OAuth provider

Handle OAuth provider callback

Processes the OAuth provider's redirect with authorization code. Completes login or account linking. Redirects to frontend.

Path Parameters

providerRequiredstring

OAuth provider (github, google)

Query Parameters

codeRequiredstring

Authorization code from provider

stateRequiredstring

CSRF state parameter

curl -X GET "//api.ocore.dev/api/auth/oauth/<string>/callback?code=%3Cstring%3E&state=%3Cstring%3E"

Redirect to frontend

Refresh access token

Uses the refresh_token cookie to issue a new access token and refresh token pair.

curl -X POST "//api.ocore.dev/api/auth/refresh"

{
  "message": "string"
}

Reset password with token

Resets the user's password using a valid reset token obtained from forgot-password.

Request Body

application/jsonRequired

Reset token and new password

passwordstring

tokenstring

curl -X POST "//api.ocore.dev/api/auth/reset-password" \
  -H "Content-Type: application/json" \
  -d '{
    "password": "string",
    "token": "string"
  }'

{
  "message": "string"
}

Register a new user account

Creates a new user account with name, email, and password. Sends a verification email if mail service is configured; otherwise auto-verifies.

Request Body

application/jsonRequired

Signup request

emailstring

namestring

passwordstring

curl -X POST "//api.ocore.dev/api/auth/signup" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "string",
    "name": "string",
    "password": "string"
  }'

Created

{
  "message": "string"
}

Verify email address

Validates the email verification token and redirects to the login page with a verified flag.

Query Parameters

tokenRequiredstring

Email verification token

curl -X GET "//api.ocore.dev/api/auth/verify-email?token=%3Cstring%3E"

Redirect to login page

Resend email verification link

Sends a new verification email to the specified address. Always returns 200 to avoid leaking account existence.

Request Body

application/jsonRequired

Email address

emailstring

curl -X POST "//api.ocore.dev/api/auth/verify-email/resend" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "string"
  }'

{
  "message": "string"
}

Response

TypeScript

Response

TypeScript

Response

TypeScript

Response

TypeScript

Response

TypeScript

Response

TypeScript

Response

TypeScript

Response

TypeScript