auth

📄️ Permanently deletes the authenticated user's account and all associated data. Clears auth cookies on success. This actio

Permanently deletes the authenticated user's account and all associated data. Clears auth cookies on success. This action is irreversible.

📄️ Sets a password on an account that has none (OAuth-only accounts). This is the onboarding path for social login users wh

Sets a password on an account that has none (OAuth-only accounts). This is the onboarding path for social login users who want to add password auth. To change an existing password use auth.password.change.

📄️ Returns onboarding/account-setup status for the authenticated user: whether their email is verified and whether they hav

Returns onboarding/account-setup status for the authenticated user: whether their email is verified and whether they have a password set. Used by the dashboard onboarding flow to determine which steps remain incomplete.

📄️ Browser-based CLI authorization. After a user logs in via the dashboard, the dashboard calls this endpoint. The server c

Browser-based CLI authorization. After a user logs in via the dashboard, the dashboard calls this endpoint. The server creates a scoped API key, then returns a redirect_url that delivers the key to the CLI via localhost callback. Optionally auto-creates a publishable key if none exists for the org.

📄️ Creates a short-lived single-use dashboard token. The CLI uses this to open a browser session from a terminal: it exchan

Creates a short-lived single-use dashboard token. The CLI uses this to open a browser session from a terminal: it exchanges the token at the session endpoint, which sets auth cookies and redirects to the dashboard.

📄️ Exchanges a single-use dashboard token for browser session cookies. Resolves the org's first member, mints an access + r

Exchanges a single-use dashboard token for browser session cookies. Resolves the org's first member, mints an access + refresh token pair for that user, and issues a 302 redirect to the dashboard. Tokens that are invalid, expired, or already used redirect to /login.

📄️ Sends a 6-digit verification code to the authenticated user's email address. Invalidates any previously issued verificat

Sends a 6-digit verification code to the authenticated user's email address. Invalidates any previously issued verification challenges for this user before issuing a new one.

📄️ Changes the authenticated user's email address. Only permitted before the email has been verified. Invalidates any pendi

Changes the authenticated user's email address. Only permitted before the email has been verified. Invalidates any pending verification codes for the old email and resets email_verified to false.

📄️ Verifies the 6-digit code sent by auth.email.send_verification_code. Marks the user's email as verified and deletes the

Verifies the 6-digit code sent by auth.email.send_verification_code. Marks the user's email as verified and deletes the challenge row.

📄️ Confirms transfer of an OAuth identity that is currently linked to another user account into the current user's account.

Confirms transfer of an OAuth identity that is currently linked to another user account into the current user's account. Used when an OAuth provider email matches a different existing account; the server issues a transfer challenge that the intended recipient must confirm.

📄️ Begins an OAuth account-linking flow for an already-authenticated user. Sets a linking_user_id session cookie so the sub

Begins an OAuth account-linking flow for an already-authenticated user. Sets a linking_user_id session cookie so the subsequent OAuth callback knows to associate the incoming identity with the existing account rather than starting a new login flow. The flow completes via the shared /oauth/{provider}/callback handler.

📄️ Unlinks an OAuth provider from the authenticated user's account. Guards against unlinking the user's only authentication

Unlinks an OAuth provider from the authenticated user's account. Guards against unlinking the user's only authentication method.

📄️ List the OAuth providers currently linked to the authenticated user. Used by the dashboard's account settings page to re

List the OAuth providers currently linked to the authenticated user. Used by the dashboard's account settings page to render the 'Connected accounts' section and to compute which providers are available to disconnect.

📄️ Password-based login. Returns a session token + refresh token. Browsers also get an httpOnly cookie; server-to-server ca

Password-based login. Returns a session token + refresh token. Browsers also get an httpOnly cookie; server-to-server callers use the returned token in Authorization headers.

📄️ Revoke the current session — invalidates both the access token and the refresh-token lineage. The next API call from the

Revoke the current session — invalidates both the access token and the refresh-token lineage. The next API call from the same session returns 401 and the SDK must re-authenticate.

📄️ Return the caller's AuthContext. Polled on every dashboard page load to keep the UI's permission model in sync with the

Return the caller's AuthContext. Polled on every dashboard page load to keep the UI's permission model in sync with the server-side scope.

📄️ Final step of the OAuth login flow. The browser (or SDK) calls this POST with the `code` it received on the OAuth callba

Final step of the OAuth login flow. The browser (or SDK) calls this POST with the `code` it received on the OAuth callback redirect; the server validates the code, deletes the underlying `AuthChallenge` row, and sets the access + refresh token cookies on the response. The tokens themselves are never returned in the response body — they live in `HttpOnly` cookies that subsequent calls (including `auth.me`) authenticate against.

📄️ Step 1 of WebAuthn passkey authentication. Generates a server-side challenge and optionally scopes allowCredentials to t

Step 1 of WebAuthn passkey authentication. Generates a server-side challenge and optionally scopes allowCredentials to the given email.

📄️ Step 2 of WebAuthn passkey authentication. Verifies the assertion response against the stored credential and challenge,

Step 2 of WebAuthn passkey authentication. Verifies the assertion response against the stored credential and challenge, updates the sign_count, and issues an authenticated session.

📄️ Step 1 of WebAuthn passkey registration. Generates and persists a server-side challenge. If no account exists for the gi

Step 1 of WebAuthn passkey registration. Generates and persists a server-side challenge. If no account exists for the given email, the server auto-creates one and emits a signup_completed PostHog event.

📄️ Step 2 of WebAuthn passkey registration. Verifies the attestation response, persists the new PasskeyCredential, and issu

Step 2 of WebAuthn passkey registration. Verifies the attestation response, persists the new PasskeyCredential, and issues an authenticated session.

📄️ Change the authenticated user's password. Requires the current password for verification. The new password must be diffe

Change the authenticated user's password. Requires the current password for verification. The new password must be different from the current one.

📄️ Unified login-or-register flow. If the email has no account, auto-creates one (requires password >= 8 chars). If the acc

Unified login-or-register flow. If the email has no account, auto-creates one (requires password >= 8 chars). If the account exists with a password, verifies it. If the account exists but is OAuth-only (no password), returns 401 directing to social login.

📄️ Initiates password reset. Persists a reset token challenge and sends a reset link via email. Always returns 200 regardle

Initiates password reset. Persists a reset token challenge and sends a reset link via email. Always returns 200 regardless of whether the email matches an account, to prevent user enumeration.

📄️ Completes password reset using a valid, unexpired reset token. Hashes and stores the new password, then deletes the used

Completes password reset using a valid, unexpired reset token. Hashes and stores the new password, then deletes the used token.

📄️ List available authentication providers (OAuth + passkeys) and whether each is enabled on this deployment. Called by the

List available authentication providers (OAuth + passkeys) and whether each is enabled on this deployment. Called by the dashboard's login screen to decide which buttons to render, and intended for SDK consumption to discover the auth surface programmatically before initiating an OAuth or passkey flow.

📄️ Exchange the refresh-token cookie for a fresh access token + a rotated refresh token. Cookies are re-set on the response

Exchange the refresh-token cookie for a fresh access token + a rotated refresh token. Cookies are re-set on the response; no token material is returned in the body. Browser-only by design.

📄️ Create a new user account. Default behavior is to also create a single-user organization with the user as owner. For inv

Create a new user account. Default behavior is to also create a single-user organization with the user as owner. For invited flows, see auth.complete_invitation (separate route).

📄️ Discovery endpoint for enterprise SSO. The dashboard's login form calls this with the user's email after they type it; S

Discovery endpoint for enterprise SSO. The dashboard's login form calls this with the user's email after they type it; SDKs can call it before invoking password login to branch the UX onto SSO when the user's org requires it.