Authentication API

Manage accounts and sessions.

Signup

POST /api/v1/auth/signup

Create a new account, organization, default API key, and session.

Rate Limit

3 requests per IP per 15 minutes.

Request Body

Field	Required	Description
email	Yes	Email address (max 256 chars)
password	Yes	Password (8-128 chars)
name	No	Display name (defaults to email username)

{
  "email": "[email protected]",
  "password": "your-secure-password",
  "name": "Your Name"
}

Response

HTTP 200 OK

{
  "user": {
    "id": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
    "email": "[email protected]",
    "name": "Your Name",
    "org_id": "e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0",
    "role": "admin"
  },
  "session_token": "abc123def456...",
  "api_key": "pj_live_451560fa..."
}

The response includes:

• session_token — for dashboard auth (send as X-Session-Token header)
• api_key — for API auth (send as Authorization: Bearer <key>). Shown only once.

Error Responses

Duplicate email returns the same success message (prevents user enumeration):

{
  "message": "if this email is not already registered, an account has been created"
}

{"error": "password must be at least 8 characters"}

Login

POST /api/v1/auth/login

Rate Limit

5 requests per IP per 15 minutes.

Request Body

{
  "email": "[email protected]",
  "password": "your-secure-password"
}

Response

HTTP 200 OK

{
  "user": {
    "id": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
    "email": "[email protected]",
    "name": "Your Name",
    "org_id": "e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0",
    "role": "admin"
  },
  "session_token": "abc123def456..."
}

Error Responses

{"error": "email and password are required"}

{"error": "unauthorized"}

Logout

POST /api/v1/auth/logout

Destroys the current session. Requires X-Session-Token header.

Response

{"ok": true}

Logout All

POST /api/v1/auth/logout-all

Revokes all sessions for the authenticated user. Requires authentication (API key or session token).

Response

{
  "ok": true,
  "sessions_revoked": true
}

Get Current User

GET /api/v1/auth/me

Returns information about the authenticated identity.

Response

With session token (full user info):

{
  "user": {
    "id": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6",
    "email": "[email protected]",
    "name": "Your Name",
    "org_id": "e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0",
    "role": "admin"
  }
}

With API key (org info only):

{
  "user": {
    "org_id": "e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0"
  }
}

Session Properties

Property	Value
Duration	7 days
Max per user	5 (oldest evicted on new login)
Storage	Server-side (D1 sessions table)
Revocable	Yes (immediate)
Password hashing	PBKDF2-SHA256 (100,000 iterations)
API key hashing	HMAC-SHA256 (server-side pepper)