API Reference
Authentication API
Full REST reference for account auth — register, login, OAuth, OTP, session management, two-factor (TOTP), and passkeys.
cm_ API keys. Access tokens last 24h; refresh tokens last 7d and rotate on use. Auth endpoints are rate-limited per IP (5–10 req/min)./api/v1/auth/registerEmail/password signup — sends a verification OTP
Request Body
emailstring (required)passwordstring (min 8 chars)namestringtenant_namestring (organization name)/api/v1/auth/register/verifyComplete signup by submitting the emailed OTP
Request Body
emailstringcodestring (6-digit OTP)/api/v1/auth/loginPassword login — returns access + refresh tokens (or a 2FA challenge)
Request Body
emailstringpasswordstring/api/v1/auth/googleGoogle OAuth login or signup
Request Body
id_tokenstring (Google ID token)/api/v1/auth/refreshRotate the JWT using a valid refresh token
Request Body
refresh_tokenstring/api/v1/auth/logout AuthRevoke the current refresh token
/api/v1/auth/me AuthGet the current authenticated user profile
/api/v1/auth/otp/sendSend a one-time code for login or password reset
Request Body
emailstringpurposelogin | reset/api/v1/auth/otp/loginLog in with an emailed OTP (passwordless)
Request Body
emailstringcodestring/api/v1/auth/reset-passwordReset password using an OTP
Request Body
emailstringcodestringnew_passwordstring/api/v1/auth/sessions AuthList active refresh-token sessions (device, IP, last seen)
/api/v1/auth/sessions/:session_id AuthRevoke a single session
/api/v1/auth/sessions AuthRevoke all sessions except the current one
/api/v1/auth/2fa/status AuthCheck TOTP enrollment status
/api/v1/auth/2fa/setup AuthBegin TOTP setup — returns provisioning URI + secret
/api/v1/auth/2fa/enable AuthConfirm TOTP with a code — returns backup codes
Request Body
codestring (6-digit TOTP)/api/v1/auth/2fa/disable AuthDisable TOTP
Request Body
codestring/api/v1/auth/2fa/verifyComplete a login that returned a 2FA challenge
Request Body
challenge_tokenstringcodestring/api/v1/auth/2fa/backup-codes/regenerate AuthGenerate a fresh set of backup codes
/api/v1/auth/passkey/list AuthList registered WebAuthn passkeys
/api/v1/auth/passkey/register/options AuthGet a WebAuthn registration challenge
/api/v1/auth/passkey/register/verify AuthComplete passkey registration
/api/v1/auth/passkey/login/verifyLog in with a passkey assertion
/api/v1/auth/passkey/:passkey_id AuthRename a passkey
Request Body
namestring/api/v1/auth/passkey/:passkey_id AuthRemove a passkey