Authentication API
Endpoints and signed callbacks that power AuthCore registration, credential login, passwordless flows, account recovery, and two-factor enforcement.
Public endpoints use the authRoute middleware which rate limits (5 requests per 15 minutes per IP) and records audit logs. Private endpoints require a signed NextAuth session and are wrapped with protectedRoute.
Discover tenant policy
Resolve which login options, MFA requirements, and approval rules apply before rendering any form.
/api/auth/policy?tenantDomain=acmeWhen multi-tenancy is enabled, pass either the tenant domain or slug. The response mirrors buildAuthFlowPolicy so UI and server logic stay aligned.
Register
Creates a new user, enforces password policy, and returns the follow-up steps the UI should surface.
/api/auth/register- Soft-deleted accounts within the retention window return
USER_SOFT_DELETEDso you can direct the user to the restore flow. - Every successful registration includes a
stepsarray. Render each step instead of assuming success.
Credential login + preflight
Use the lightweight preflight endpoint to determine if a TOTP prompt is required before calling NextAuth.
/api/auth/check-2faIf requires2FA is true, prompt for TOTP or email OTP before continuing.
Actual credential login is handled by NextAuth's credentials provider located at /api/auth/[...nextauth]:
Passwordless magic links
Queue email magic links and handle single-use token redemption.
/api/auth/magic-linkThe mailer injects tenant branding and signs the callback URL automatically.
/api/auth/verify?token=...Clicking the link verifies the token, mints the NextAuth session cookie, and redirects to /demo/dashboard by default.
Email verification & approvals
/api/auth/verify-emailMarks emailVerified and deletes the verification token.
/api/auth/resend-verificationReturns 200 even if the user is already verified to avoid enumeration.
Password reset
Two endpoints cover the request/consume lifecycle and never leak whether an account exists.
/api/auth/forgot-password/api/auth/reset-passwordAccount restore (soft-deleted users)
Restore requests respect the configured retention window and never reveal if an account was deleted.
/api/auth/restore-request/api/auth/restoreTwo-factor lifecycle
All two-factor routes require an authenticated session via protectedRoute.
/api/auth/2fa/setup/api/auth/2fa/setup/api/auth/2fa/verify/api/auth/2fa/disable/api/auth/2fa/backup-codesBackup codes and disable flows require a current TOTP token to prevent hijacking.