Auth
Forgot Password
Request a password reset link via email.
Always returns success to prevent email enumeration. "I could tell you, but then I'd have to kill you." - Top Gun
emailResponse Body
curl -X POST "https://loading/auth/forgot-password" \ -H "Content-Type: application/json" \ -d '{ "email": "user@example.com" }'{}{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}curl -X POST "https://loading/auth/login" \ -H "Content-Type: application/json" \ -d '{ "email": "user@example.com", "password": "string" }'{
"access_token": "string",
"email_verified": true,
"expires_in": 1800,
"refresh_token": "string",
"token_type": "bearer"
}{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}curl -X POST "https://loading/auth/logout" \ -H "Content-Type: application/json" \ -d '{}'{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}Auth Me
Return user metadata from cookie-authenticated session.
In: header
Response Body
curl -X GET "https://loading/auth/me"{}curl -X POST "https://loading/auth/refresh" \ -H "Content-Type: application/json" \ -d '{}'{
"access_token": "string",
"email_verified": true,
"expires_in": 1800,
"refresh_token": "string",
"token_type": "bearer"
}{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}curl -X POST "https://loading/auth/register" \ -H "Content-Type: application/json" \ -d '{ "email": "user@example.com", "password": "stringst" }'{
"access_token": "string",
"email_verified": true,
"expires_in": 1800,
"refresh_token": "string",
"token_type": "bearer"
}{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}Resend Verification
Resend verification code. Rate limited to prevent abuse. "I could tell you, but then I'd have to kill you." - Top Gun
emailResponse Body
curl -X POST "https://loading/auth/resend-verification" \ -H "Content-Type: application/json" \ -d '{ "email": "user@example.com" }'{}{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}Reset Password
Reset password using a token from the forgot-password email.
Token is single-use and expires after 30 minutes. "Hasta la vista, baby." - T-800 (to your old password)
8 <= length <= 1281 <= length <= 256Response Body
curl -X POST "https://loading/auth/reset-password" \ -H "Content-Type: application/json" \ -d '{ "new_password": "stringst", "token": "string" }'{}{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}Programmatic Token
Programmatic token endpoint — Basic auth (email:password), returns body tokens, NEVER sets cookies.
For CLI/SDK usage only.
Response Body
curl -X POST "https://loading/auth/token"{
"access_token": "string",
"email_verified": true,
"expires_in": 1800,
"refresh_token": "string",
"token_type": "bearer"
}Verify Email
Verify email with 6-digit code sent via Resend.
Returns fresh JWT tokens so the frontend immediately has evf:true. Without this, the old JWT still has evf:false and every get_current_user-protected endpoint returns 403.
"The name's Bond. James Bond." - but with a verification code.
6 <= length <= 6emailResponse Body
curl -X POST "https://loading/auth/verify-email" \ -H "Content-Type: application/json" \ -d '{ "code": "string", "email": "user@example.com" }'{}{
"detail": [
{
"loc": [
"string"
],
"msg": "string",
"type": "string"
}
]
}