API Reference

Complete reference for the REST endpoints and signed callbacks that ship with AuthCore.

Overview

API architecture, authentication, and base URLs

Authentication

Login, register, logout, and 2FA endpoints

User Management

CRUD operations for user profiles and settings

Organizations

Multi-tenant org management and invitations

Security

Security settings, lockouts, and restrictions

Billing

Subscription and invoice management

Webhooks

Event webhooks and signature verification

Quick Start

AuthCore relies on NextAuth session cookies. Browser clients automatically forward the authcore.session-token cookie to protected routes.

await fetch('/api/user/profile', {
  credentials: 'include',
  headers: { 'Content-Type': 'application/json' },
})

For service-to-service calls, mint a short-lived token in your backend and forward it as an Authorization: Bearer ... header.

Base URL

https://your-domain.com/api

Each endpoint mounts under /api—for example /api/auth/policy, /api/tenant/invitations, /api/user/devices.