API Reference

Full reference for all AuthSaas REST endpoints. All requests and responses use JSON.

Base URL#

https://your-domain.com/api/v1

Authentication Endpoints#

These endpoints authenticate end users of your app. All require a valid clientId.

Register a user#

POST/auth/register

Parameter	Type	Required	Description
clientId	string	required	Your app client ID
email	string (email)	required	User email address
password	string	required	Min 8 characters
name	string	optional	Display name

Response · 201

{
  "success": true,
  "data": {
    "user": { "id": "usr_xxx", "email": "user@example.com", "name": null, "roles": [], "emailVerified": false },
    "tokens": { "accessToken": "eyJ...", "refreshToken": "eyJ...", "expiresIn": 900 }
  }
}

POST/auth/login

Parameter	Type	Required	Description
clientId	string	required	Your app client ID
email	string (email)	required	User email address
password	string	required	User password

Response · 200

{
  "success": true,
  "data": { "accessToken": "eyJ...", "refreshToken": "eyJ...", "expiresIn": 900 }
}

Refresh tokens#

POST/auth/refresh

Issues a new token pair. The submitted refresh token is immediately invalidated (rotation). Reuse detection revokes all user sessions.

Parameter	Type	Required	Description
refreshToken	string	optional	Omit if using httpOnly cookie

Response · 200

{
  "success": true,
  "data": { "accessToken": "eyJ...", "refreshToken": "eyJ...", "expiresIn": 900 }
}

⚠ Warning

Never store refresh tokens in localStorage. The SDK stores them in sessionStorage by default, or you can configure httpOnly cookie mode for maximum security.

Logout#

POST/auth/logout

Revokes all refresh tokens for the user. Requires a valid access token in the Authorization header.

curl -X POST /api/v1/auth/logout \
  -H "Authorization: Bearer <access_token>"

Verify email#

GET/auth/verify

Verifies a user's email address using the token sent in the verification email. Called automatically when the user clicks the link in their inbox.

Parameter	Type	Required	Description
token	string (query)	required	Verification token from email link
email	string (query)	required	User email address

Response · 200

{
  "success": true,
  "data": { "message": "Email verified successfully." }
}

Resend verification email#

POST/auth/resend-verification

Re-sends the verification email. Rate-limited to 3 requests per 15 minutes per IP.

Parameter	Type	Required	Description
clientId	string	required	Your app client ID
email	string	required	User email address

ℹ Note

Generating a new token invalidates the previous one.

Tenant Endpoints#

These endpoints are for developers managing their apps. Protected routes require a tenant JWT.

Register as developer#

POST/tenant/register

Parameter	Type	Required	Description
name	string	required	Your full name or company name
email	string (email)	required	Developer email
password	string	required	Min 8 characters

POST/tenant/login

List apps#

GET/tenant/appsRequires Bearer token

Create app#

POST/tenant/appsRequires Bearer token

Parameter	Type	Required	Description
name	string	required	App name
description	string	optional	Short description
allowedOrigins	string[]	required	CORS origins e.g. ["https://myapp.com"]

Response · 201

{
  "success": true,
  "data": {
    "app": { "id": "app_xxx", "clientId": "client_xxx", "name": "My App", "isActive": true },
    "clientSecret": "sas_abc123def456..."
  }
}

✕ Danger

clientSecret is returned once only. It is hashed server-side and cannot be recovered. Rotate via POST /tenant/apps/:id/rotate if lost.

Rotate client secret#

POST/tenant/apps/:id/rotateRequires Bearer token

Invalidates the current secret and returns a new one. Existing app users are unaffected — only API calls using the old secret will fail.

User Management#

Manage users within a specific app. All endpoints require a tenant Bearer token and an appId parameter scoped to the authenticated tenant.

List users#

GET/users?appId=xxxRequires tenant Bearer token

Response · 200

{
  "success": true,
  "data": [
    {
      "id": "usr_xxx",
      "email": "user@example.com",
      "name": "Jane Doe",
      "emailVerified": true,
      "isActive": true,
      "roles": ["user"],
      "createdAt": "2024-01-15T10:30:00.000Z"
    }
  ]
}

Toggle user status#

PATCH/users/:userIdRequires tenant Bearer token

Toggles the isActive flag for the specified user. Deactivated users cannot log in and will receive an ACCOUNT_DISABLED error.

Parameter	Type	Required	Description
appId	string	required	App ID scoped to the authenticated tenant

Set user roles#

PUT/users/:userId/rolesRequires tenant Bearer token

Replaces all current roles for the user in this app with the given array.

Parameter	Type	Required	Description
appId	string	required	App ID scoped to the authenticated tenant
roles	string[]	required	Complete desired roles array for this user

⚠ Warning

This is a full replace, not a merge. Pass the complete desired roles array. Pass an empty array [] to remove all roles.

Role Management#

Three default roles are created automatically for every new app: owner, admin, and user. You can create additional custom roles.

Role	Permissions
user	read:profile, write:profile
admin	+ read:users, write:users, read:audit, read:sessions
owner	+ delete:users, read:roles, write:roles, delete:sessions

List roles#

GET/roles?appId=xxxRequires tenant Bearer token

Response · 200

{
  "success": true,
  "data": [
    {
      "id": "role_xxx",
      "name": "editor",
      "description": "Can read and write content",
      "permissions": ["read:profile", "write:profile", "read:users"],
      "userCount": 12
    }
  ]
}

Create role#

POST/rolesRequires tenant Bearer token

Parameter	Type	Required	Description
appId	string	required	App ID scoped to the authenticated tenant
name	string	required	Role name (min 2 characters)
description	string	optional	Short description of the role
permissions	string[]	optional	Initial permissions e.g. ["read:users","write:users"]

Response · 201

{
  "success": true,
  "data": { "id": "role_xxx", "name": "editor", "permissions": [], "userCount": 0 }
}

Update role permissions#

PUT/roles/:roleId/permissionsRequires tenant Bearer token

Full replace of permissions for the role. Available permission strings:

read:profile    write:profile
read:users      write:users     delete:users
read:roles      write:roles
read:audit
read:sessions   delete:sessions

Parameter	Type	Required	Description
appId	string	required	App ID scoped to the authenticated tenant
permissions	string[]	required	Complete desired permissions array for this role

Error codes#

All errors follow a consistent shape:

{ "success": false, "error": "Human readable message", "code": "ERROR_CODE" }

Code	Status	Meaning
INVALID_CLIENT	401	clientId not found or app is disabled
EMAIL_TAKEN	409	Email already registered in this app
INVALID_CREDENTIALS	401	Wrong email or password
ACCOUNT_DISABLED	403	User account has been deactivated
INVALID_TOKEN	401	Token not found or already used
TOKEN_REUSE	401	Refresh token reuse — all sessions revoked
TOKEN_EXPIRED	401	Refresh token has expired
UNAUTHORIZED	401	Missing or invalid Authorization header
NOT_FOUND	404	Resource not found
VALIDATION_ERROR	400	Request body failed validation
INTERNAL_ERROR	500	Unexpected server error
ALREADY_VERIFIED	409	Email already verified
EMAIL_NOT_VERIFIED	403	Email not yet verified
RATE_LIMITED	429	Too many requests, see Retry-After header
ROLE_NOT_FOUND	404	Role not found
ROLE_EXISTS	409	Role name already exists in this app
FORBIDDEN	403	Insufficient role for this operation

API Reference

Base URL#

Authentication Endpoints#

Register a user#

Login#

Refresh tokens#

Logout#

Verify email#

Resend verification email#

Tenant Endpoints#

Register as developer#

Developer login#

List apps#

Create app#

Rotate client secret#

User Management#

List users#

Toggle user status#

Set user roles#

Role Management#

List roles#

Create role#

Update role permissions#

Error codes#