Authentication

Token-based authentication. Sign up, login to receive tokens, and include the idToken as a Bearer token in all authenticated requests.

🔑 Auth flow: POST /auth/signup → POST /auth/login → use the returned idToken as Authorization: Bearer <idToken>. Tokens expire in 1 hour. Use /auth/refresh to get new tokens.

POST

Sign Up

/auth/signup

Request Parameters

emailstring*User's email address. Must be unique.

passwordstring*Password. Must include uppercase, lowercase, number, and special character.

firstNamestring*User's first name.

lastNamestring*User's last name.

Response Fields

messagestringSuccess confirmation message.

userIdstringUnique user identifier (UUID).

apiKeystringAPI key for x-api-key header.

ℹ️If the email is already registered, you'll receive a 400 error with "User already exists".

// POST /auth/signup
{
  "email": "user@example.com",
  "password": "SecurePass1!",
  "firstName": "John",
  "lastName": "Doe"
}

POST

Login

/auth/login

Authenticate with email and password to receive JWT tokens. The idToken is used for API authentication, the accessToken for Cognito operations, and the refreshToken to get new tokens.

Request Parameters

emailstring*Registered email address.

passwordstring*Account password.

Response Fields

idTokenstringJWT token for API authentication (Bearer token). Expires in 1 hour.

accessTokenstringCognito access token.

refreshTokenstringToken to refresh expired tokens without re-login.

apiKeystringAPI key for x-api-key header.

firstNamestringUser's first name.

lastNamestringUser's last name.

emailstringUser's email.

// POST /auth/login
{
  "email": "user@example.com",
  "password": "SecurePass1!"
}

POST

Refresh Tokens

/auth/refresh

Get new tokens using a valid refresh token. Use this when your idToken expires (after 1 hour) instead of re-logging in.

Request Parameters

refreshTokenstring*The refresh token from login.

Response Fields

idTokenstringNew JWT token for API authentication.

accessTokenstringNew Cognito access token.

// POST /auth/refresh
{
  "refreshToken": "eyJhbGciOi..."
}

POST

Logout

/auth/logout

Invalidate the current session. Requires the access token to revoke.

Request Parameters

accessTokenstring*The access token to invalidate.

Response Fields

messagestringLogout confirmation.

// POST /auth/logout
// Authorization: Bearer <idToken>
{
  "accessToken": "eyJhbGciOi..."
}