Accountmaker Docs
English
Docs Home
Features

Authentication

Password and magic link methods for verifying user identity securely.

authentication passwords magic-links security

Authentication

AM handles credential verification, password hashing, and magic links so you can focus on your app logic.

Choose the methods that fit your users—traditional passwords for enterprises or magic links for consumer apps.

Authentication Methods

Email + Password

Credentials hashed with PBKDF2. Users register with email and password, then authenticate with the same.

User ──▶ Email + Password ──▶ PBKDF2 Verify ──▶ Issue Tokens

Passwordless authentication via one-time email links. Users click the link to authenticate.

EmailAMUserEmailAMUserPOST /auth/send-magic-linkSend linkClick linkPOST /auth/sign-in-with-tokenAccess + Refresh tokens

Password Reset

Secure recovery when users forget credentials:

  1. User requests reset via /auth/send-password-reset
  2. Time-limited token sent to verified email
  3. User sets new password via /auth/reset-password

Token Lifetimes

TokenDefaultPurpose
Access Token1 hourAPI authorization
Refresh Token14 daysObtain new access tokens
CSRF TokenSessionPrevent cross-site attacks

Lifetimes are configurable per client.

Security

  • PBKDF2 Hashing: Industry-standard password storage
  • Rate Limiting: Prevents brute force attacks
  • CSRF Protection: Required for state-changing requests
  • Secure Cookies: HttpOnly, Secure, SameSite options
  • Auth - Auth endpoints
  • OAuth - OAuth2/OIDC flows
  • User - User resource
Previous
Auth

Sign-in, sign-up, and session endpoints for authenticating users directly on your domain.

Next
Backend Integration

Token verification via JWKS and OIDC discovery for your backend services.