Auth
AM’s auth endpoints let you build sign-in, sign-up, and password flows without managing tokens, sessions, or security yourself.
These endpoints run on your auth domain and handle the complete authentication lifecycle—from registration to password reset.
Overview
Endpoints
| Endpoint | Purpose |
|---|---|
POST /auth/sign-up | Register new user with email/password |
POST /auth/sign-in | Authenticate with credentials |
POST /auth/sign-in-with-token | Passwordless token authentication |
GET /auth/me | Get current user profile |
POST /auth/refresh | Refresh access token |
GET /auth/csrf-session | Initialize CSRF session cookie |
GET /auth/csrf-token | Generate CSRF token |
POST /auth/check-email | Check email and available login methods |
POST /auth/verify | Verify email address |
POST /auth/send-magic-link | Send passwordless login link |
POST /auth/send-password-reset | Send password reset email |
POST /auth/reset-password | Set new password with reset token |
POST /auth/accept-invite | Accept account invitation |
Authentication Flow
What You Get Back
Successful authentication returns:
- Access Token: Short-lived JWT (default 1 hour) for API requests
- Refresh Token: Long-lived token (default 14 days) for getting new access tokens
- User Profile: Email, memberships, identity data
CSRF Protection
State-changing requests require CSRF tokens:
- Initialize session:
GET /auth/csrf-session(sets HttpOnly cookie) - Get token:
GET /auth/csrf-token(returns token inX-CSRF-Tokenheader) - Include token in requests via
X-CSRF-Tokenheader orcsrf_tokenbody field
Related
- Authentication - Auth methods and security
- OAuth - Third-party authorization
- Users - User management