Email & Password Auth

Register

POST /auth/register
Content-Type: application/json

{
  "name": "Acme Corp",
  "email": "admin@acme.com",
  "password": "supersecret"
}

Response 200

{
  "success": true,
  "data": {
    "accessToken": "eyJ...",
    "expiresIn": 3600,
    "user": {
      "id": "ten_01j...",
      "name": "Acme Corp",
      "email": "admin@acme.com"
    }
  }
}

POST /auth/login
Content-Type: application/json

{
  "email": "admin@acme.com",
  "password": "supersecret"
}

Response shape is identical to register.

Refresh Token

Access tokens are short-lived. Refresh without re-authenticating:

POST /auth/refresh

The refresh token is stored in an HttpOnly cookie automatically. You may also pass it explicitly:

{
  "refreshToken": "rt_..."
}

Response 200

{
  "accessToken": "eyJ...",
  "expiresIn": 3600
}

Logout

POST /auth/logout
Authorization: Bearer eyJ...

Response: 204 No Content. The refresh token cookie is cleared.

Get current user

GET /auth/me
Authorization: Bearer eyJ...

Returns the authenticated tenant profile.

Register​

Login​

Refresh Token​

Logout​

Get current user​

Register

Login

Refresh Token

Logout

Get current user