Overview The Authentication API handles user registration, login, session management, email verification, and password reset flows. All authentication uses secure HTTP-only cookies for session management with JWT tokens.
Authentication Flow Endpoints Register New User Create a new user account. An email verification link will be sent to the provided email address.
Request Body: { "email" : "user@example.com" , "name" : "John Doe" , "password" : "SecurePassword123!" } Full name (minimum 2 characters)
Strong password (minimum 8 characters)
Response: { "success" : true , "message" : "Registration successful. Please check your email to verify your account." , "user" : { "id" : "550e8400-e29b-41d4-a716-446655440000" , "email" : "user@example.com" , "name" : "John Doe" , "emailVerified" : false , "createdAt" : "2024-01-17T10:30:00Z" } } Users must verify their email before they can fully access the platform.
Login Authenticate a user and establish a session.
Request Body: { "email" : "user@example.com" , "password" : "SecurePassword123!" } Response: { "success" : true , "message" : "Login successful" , "user" : { "id" : "550e8400-e29b-41d4-a716-446655440000" , "email" : "user@example.com" , "name" : "John Doe" , "role" : "USER" , "emailVerified" : true } } Cookies Set:
accessToken - HTTP-only, Secure, SameSite=Strict (15 minutes)refreshToken - HTTP-only, Secure, SameSite=Strict (7 days)
Get Current User Retrieve the currently authenticated user’s information.
Headers: Response: { "user" : { "id" : "550e8400-e29b-41d4-a716-446655440000" , "email" : "user@example.com" , "name" : "John Doe" , "role" : "USER" , "emailVerified" : true , "createdAt" : "2024-01-17T10:30:00Z" } } Refresh Access Token Obtain a new access token using the refresh token.
Headers: Response: { "ok" : true , "user" : { "id" : "550e8400-e29b-41d4-a716-446655440000" , "email" : "user@example.com" , "name" : "John Doe" , "role" : "USER" } } Cookies Updated:
New accessToken issued
refreshToken rotated for security
Logout Terminate the user’s session and invalidate tokens.
Headers: Response: { "success" : true , "message" : "Logged out successfully" } Cookies Cleared:
accessToken removedrefreshToken removed
Verify Email Verify a user’s email address using the verification token sent via email.
Request Body: { "token" : "verification_token_from_email" } Response: { "success" : true , "message" : "Email verified successfully. You can now log in." } Resend Verification Email /auth/send-email-verification
Request a new verification email if the previous one expired or was lost.
Request Body: { "email" : "user@example.com" } Response: { "success" : true , "message" : "Verification email sent. Please check your inbox." } Rate Limit: This endpoint is rate-limited to prevent abuse:
5 requests per hour per email address
Forgot Password Request a password reset link via email.
Request Body: { "email" : "user@example.com" } Response: { "success" : true , "message" : "If an account exists with this email, a password reset link has been sent." } For security, the API always returns a success message regardless of whether the email exists.
Reset Password Reset password using the token received via email.
Request Body: { "token" : "reset_token_from_email" , "password" : "NewSecurePassword123!" } Password reset token from email
New password (minimum 8 characters)
Response: { "success" : true , "message" : "Password reset successful. You can now log in with your new password." } Security Features HTTP-Only Cookies All session tokens are stored in HTTP-only cookies to prevent XSS attacks. JavaScript cannot access these cookies.
Secure Flag Cookies are marked as Secure, ensuring they’re only transmitted over HTTPS in production.
SameSite Policy Cookies use SameSite=Strict to prevent CSRF attacks.
Token Rotation Refresh tokens are rotated on each use to minimize security risks if a token is compromised.
Password Requirements
Minimum 8 characters
Recommended: Mix of uppercase, lowercase, numbers, and special characters
Token Expiration
Access Token: 15 minutesRefresh Token: 7 daysVerification Token: 24 hoursReset Token: 1 hour
Error Codes Code Status Description INVALID_CREDENTIALS401 Incorrect email or password EMAIL_ALREADY_EXISTS409 Email is already registered EMAIL_NOT_VERIFIED403 Email verification required INVALID_TOKEN400 Token is invalid or expired TOKEN_EXPIRED401 Token has expired WEAK_PASSWORD400 Password doesn’t meet requirements RATE_LIMIT_EXCEEDED429 Too many requests
Use Cases Example 1: Complete Registration Flow # Step 1: Register curl -X POST "https://api.steerai.autos/v1/auth/register" \ -H "Content-Type: application/json" \ -d '{ "email": "dealer@example.com", "name": "Auto Dealer", "password": "SecurePass123!" }' # Step 2: User receives email and verifies curl -X POST "https://api.steerai.autos/v1/auth/verify-email" \ -H "Content-Type: application/json" \ -d '{ "token": "verification_token_from_email" }' # Step 3: Login curl -X POST "https://api.steerai.autos/v1/auth/login" \ -H "Content-Type: application/json" \ -c cookies.txt \ -d '{ "email": "dealer@example.com", "password": "SecurePass123!" }' Example 2: Password Reset Flow # Step 1: Request reset curl -X POST "https://api.steerai.autos/v1/auth/forgot-password" \ -H "Content-Type: application/json" \ -d '{ "email": "dealer@example.com" }' # Step 2: Reset with token from email curl -X POST "https://api.steerai.autos/v1/auth/reset-password" \ -H "Content-Type: application/json" \ -d '{ "token": "reset_token_from_email", "password": "NewSecurePass123!" }' Example 3: Token Refresh # Refresh access token before it expires curl -X POST "https://api.steerai.autos/v1/auth/refresh" \ -b cookies.txt \ -c cookies.txt Client Implementation JavaScript/Node.js class AuthClient { constructor ( baseURL ) { this . baseURL = baseURL ; } async register ( email , name , password ) { const response = await fetch ( ` ${ this . baseURL } /auth/register` , { method: 'POST' , headers: { 'Content-Type' : 'application/json' }, body: JSON . stringify ({ email , name , password }) }); return response . json (); } async login ( email , password ) { const response = await fetch ( ` ${ this . baseURL } /auth/login` , { method: 'POST' , headers: { 'Content-Type' : 'application/json' }, credentials: 'include' , // Important for cookies body: JSON . stringify ({ email , password }) }); return response . json (); } async getCurrentUser () { const response = await fetch ( ` ${ this . baseURL } /auth/me` , { credentials: 'include' }); return response . json (); } async logout () { const response = await fetch ( ` ${ this . baseURL } /auth/logout` , { method: 'POST' , credentials: 'include' }); return response . json (); } } Best Practices
Always use HTTPS in production
Never transmit credentials over unsecured HTTP connections.
Implement client-side token refresh
Automatically refresh tokens before they expire to maintain session continuity.
Store refresh tokens securely
Use HTTP-only cookies (handled automatically by our API) rather than localStorage.
Enforce strong password policies
Require passwords with adequate complexity and length.
Protect authentication endpoints from brute-force attacks.
Log authentication events
Track login attempts, password resets, and suspicious activity.
