Auth API
Authenticate users (login) and register new users (signup). Returns access tokens for API access.
Authentication API
Overview
The Authentication API provides endpoints to sign users in, register new users, and refresh authentication tokens. Each endpoint returns session/token information that clients should use to authenticate subsequent API requests.
Base path: /api/v1/auth
Response envelope
Most API endpoints in this project return a consistent envelope. Authentication endpoints return the session/token information in the data object when successful.
{
"success": true,
"message": "optional human readable message",
"data": { /* payload shown per endpoint*/ },
"error": "error text"
}
Notes about tokens
access_tokenis a Bearer JWT. Include it on protected API requests using theAuthorization: Bearer <access_token>header.refresh_tokencan be used to obtain a new access token via the refresh endpoint below. A refresh token is returned on successful authentication when applicable.- Administrative user-management endpoints exist for service integrations; they require elevated credentials and should only be used by trusted services.
POST /api/v1/auth/login
Authenticate a user using email and password and return a session with tokens.
Request
- Content-Type:
application/json
Body
{
"email": "user@example.com",
"password": "password123"
}
Success response (200)
{
"success": true,
"message": "Authentication successful",
"data": {
"access_token": "eyJhbGci...",
"refresh_token": "...",
"expires_at": 1735689600,
"expires_in": 3600,
"user": {
"id": "8b4cdb8d-...",
"email": "user@example.com",
"created_at": "2025-11-13T10:00:00Z"
}
}
}
Common errors
- 400 Bad Request — invalid body (missing/invalid email or password)
- 401 Unauthorized — invalid credentials or sign-in failure
- 500 Internal Server Error — unexpected error (check server logs)
Example curl
curl -X POST "https://phy.engineering/api/v1/auth/login" \
-H "Content-Type: application/json" \
-d '{"email":"user@example.com","password":"password123"}'
POST /api/v1/auth/signup
Register a new user account. Returns the created user object. Unlike the Login endpoint, tokens are not returned on signup — call Login after registration to obtain an access token.
Request
- Content-Type:
application/json
Body
{
"email": "newuser@example.com",
"password": "SecretPass123!"
}
Success response (200)
{
"success": true,
"message": "Authentication successful",
"data": {
"user": {
"id": "f47ac10b-...",
"email": "newuser@example.com",
"created_at": "2025-11-13T10:00:00Z"
}
}
}
Notes
- After signup, call
POST /api/v1/auth/loginwith the same credentials to obtain an access token. - If email confirmation is enabled on the platform, the account may require verification before login succeeds.
Common errors
- 400 Bad Request — invalid body (missing email, invalid format, etc.)
- 401 Unauthorized — signup failed (e.g., email already registered)
- 500 Internal Server Error — unexpected error
Example curl
curl -X POST "https://phy.engineering/api/v1/auth/signup" \
-H "Content-Type: application/json" \
-d '{"email":"newuser@example.com","password":"SecretPass123!"}'
POST /api/v1/auth/refresh
Exchange a refresh token for a new session (new access token and refresh token).
Request
- Content-Type:
application/json
Body
{
"refresh_token": "<refresh-token-from-login-or-signup>"
}
Success response (200)
{
"success": true,
"message": "Token refreshed",
"data": {
"access_token": "eyJhbGci...",
"refresh_token": "...",
"expires_at": 1735689600,
"user": {
"id": "8b4cdb8d-...",
"email": "user@example.com",
"created_at": "2025-11-13T10:00:00Z"
}
}
}
Common errors
- 400 Bad Request — invalid body
- 401 Unauthorized — invalid or expired refresh token
- 500 Internal Server Error — unexpected error
Example curl
curl -X POST "https://phy.engineering/api/v1/auth/refresh" \
-H "Content-Type: application/json" \
-d '{"refresh_token":"<refresh-token>"}'
GET /api/v1/auth/organizations
List organizations the authenticated user belongs to along with the user's role in each.
Authentication: Requires a valid access token (Bearer).
Request
- Method:
GET - Path:
/api/v1/auth/organizations
Success response (200)
{
"success": true,
"message": "Retrieved 2 organizations",
"data": [
{
"id": "8b4cdb8d-...",
"name": "Example Utilities",
"is_personal_account": false,
"role": "ADMIN"
},
{
"id": "a17ac10b-...",
"name": "Personal Account",
"is_personal_account": true,
"role": "OWNER"
}
],
"count": 2
}
Common errors
- 401 Unauthorized — missing or invalid access token
- 500 Internal Server Error — unexpected error
Example curl
curl -X GET "https://phy.engineering/api/v1/auth/organizations" \ -H "Authorization: Bearer <access_token>"
GET /api/v1/auth/users/:userId/organizations
List organizations for a specified user Id. This allows administrative or service contexts to retrieve organization memberships for any user that is visible under access policies. Visibility is subject to authorization rules; only organizations the requester is permitted to view will be returned.
Authentication: Requires a valid access token (Bearer).
Path parameter
userId(uuid)
Success response (200)
{
"success": true,
"message": "Retrieved 3 organizations for user",
"data": [
{
"id": "8b4cdb8d-...",
"name": "Example Utilities",
"is_personal_account": false,
"role": "ADMIN",
"user_id": "f47ac10b-...",
"requested_by": "8b4cdb8d-..."
}
],
"count": 3
}
Common errors
- 400 Bad Request — invalid userId format
- 401 Unauthorized — missing or invalid access token
- 500 Internal Server Error — unexpected error
Example curl
curl -X GET "https://phy.engineering/api/v1/auth/users/<user-id>/organizations" \ -H "Authorization: Bearer <access_token>"