Skip to main content

API Reference

Authentication API

Full REST reference for account auth — register, login, OAuth, OTP, session management, two-factor (TOTP), and passkeys.

note
These endpoints power the dashboard's auth flows. They use JWT (access + refresh tokens), not cm_ API keys. Access tokens last 24h; refresh tokens last 7d and rotate on use. Auth endpoints are rate-limited per IP (5–10 req/min).
POST/api/v1/auth/register

Email/password signup — sends a verification OTP

Request Body

emailstring (required)
passwordstring (min 8 chars)
namestring
tenant_namestring (organization name)
POST/api/v1/auth/register/verify

Complete signup by submitting the emailed OTP

Request Body

emailstring
codestring (6-digit OTP)
POST/api/v1/auth/login

Password login — returns access + refresh tokens (or a 2FA challenge)

Request Body

emailstring
passwordstring
POST/api/v1/auth/google

Google OAuth login or signup

Request Body

id_tokenstring (Google ID token)
POST/api/v1/auth/refresh

Rotate the JWT using a valid refresh token

Request Body

refresh_tokenstring
POST/api/v1/auth/logout Auth

Revoke the current refresh token

GET/api/v1/auth/me Auth

Get the current authenticated user profile

POST/api/v1/auth/otp/send

Send a one-time code for login or password reset

Request Body

emailstring
purposelogin | reset
POST/api/v1/auth/otp/login

Log in with an emailed OTP (passwordless)

Request Body

emailstring
codestring
POST/api/v1/auth/reset-password

Reset password using an OTP

Request Body

emailstring
codestring
new_passwordstring
GET/api/v1/auth/sessions Auth

List active refresh-token sessions (device, IP, last seen)

DELETE/api/v1/auth/sessions/:session_id Auth

Revoke a single session

DELETE/api/v1/auth/sessions Auth

Revoke all sessions except the current one

GET/api/v1/auth/2fa/status Auth

Check TOTP enrollment status

POST/api/v1/auth/2fa/setup Auth

Begin TOTP setup — returns provisioning URI + secret

POST/api/v1/auth/2fa/enable Auth

Confirm TOTP with a code — returns backup codes

Request Body

codestring (6-digit TOTP)
POST/api/v1/auth/2fa/disable Auth

Disable TOTP

Request Body

codestring
POST/api/v1/auth/2fa/verify

Complete a login that returned a 2FA challenge

Request Body

challenge_tokenstring
codestring
POST/api/v1/auth/2fa/backup-codes/regenerate Auth

Generate a fresh set of backup codes

GET/api/v1/auth/passkey/list Auth

List registered WebAuthn passkeys

POST/api/v1/auth/passkey/register/options Auth

Get a WebAuthn registration challenge

POST/api/v1/auth/passkey/register/verify Auth

Complete passkey registration

POST/api/v1/auth/passkey/login/verify

Log in with a passkey assertion

PATCH/api/v1/auth/passkey/:passkey_id Auth

Rename a passkey

Request Body

namestring
DELETE/api/v1/auth/passkey/:passkey_id Auth

Remove a passkey

Was this page helpful?