Skip to main content

Authentication Process

  1. Sign In: POST /auth/signin with email/password
  2. Receive Cookie: Session cookie automatically set
  3. Make Requests: Cookie included automatically in subsequent requests

Endpoints

Sign In

POST /auth/signin
{
  "email": "[email protected]",
  "password": "password123"
}

Sign Out

POST /auth/signout

Session Validation

POST /auth/session/validate

Implementation

// Sign in
await fetch('/api/v1/auth/signin', {
  method: 'POST',
  credentials: 'include',  // Important!
  body: JSON.stringify({ email, password })
});

// Authenticated requests
await fetch('/api/v1/users', {
  credentials: 'include'  // Include cookies
});

Security Features

  • HttpOnly cookies (prevents XSS)
  • Database session validation
  • Role-based permissions
  • Automatic expiration

Error Codes

  • INVALID_CREDENTIALS: Wrong email/password
  • INVALID_SESSION: Session expired or invalid
  • FORBIDDEN: Insufficient permissions