API Reference
Auth & Account
Auth & Account Endpoints
12 endpoints covering the full account lifecycle: registration, login, email verification, Google sign-in, password recovery, API key management, account status checks, and Google unlink.
Bearer JWT for auth flows
Authorization: Bearer <token>
Lifecycle Overview
Session first, key second
Interactive login returns a JWT session only. API keys are created explicitly via POST /v1/auth/api-keys and are never auto-generated on your behalf.
Account parity
GET /v1/me/account and POST /v1/me/google/unlink give the CLI stable visibility into sign-in methods, plan source, and linked-auth state.
Auth & Account Inventory
12| Method | Path | Description |
|---|---|---|
POST | /v1/auth/register | Create a new account. |
POST | /v1/auth/login | Sign in with username or email and receive a JWT. |
POST | /v1/auth/verify-email | Verify email with a six-digit code. |
POST | /v1/auth/resend-verification | Request a fresh verification code. |
POST | /v1/auth/google | Sign in or sign up with a Google credential. |
POST | /v1/auth/forgot-password | Start password recovery without leaking account existence. |
POST | /v1/auth/reset-password | Reset a password with a verified recovery token. |
POST | /v1/auth/api-keys | Create an API key. |
GET | /v1/auth/api-keys | List API keys for the authenticated user. |
DELETE | /v1/auth/api-keys/{key_id} | Revoke one API key. |
GET | /v1/me/account | Return account summary, plan source, and sign-in methods. |
POST | /v1/me/google/unlink | Unlink Google when password sign-in is already available. |
Authenticate and return a JWT bearer token.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| username | string |
Yes | Username or email* |
| password | string |
Yes | Account password* |
Response
| Field | Type | Required | Description |
|---|---|---|---|
| access_token | string |
Yes | JWT access token* |
| token_type | string |
Yes | Always bearer* |
Request
{
"username": "hershel",
"password": "secureP@ss123"
}
Response 200 OK
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "bearer"
}
Create a new API key. The raw key is shown only once.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| name | string |
Yes | Human-readable key label* |
Response
| Field | Type | Required | Description |
|---|---|---|---|
| id | uuid |
Yes | API key ID* |
| raw_key | string |
Yes | Full rst_ key shown once* |
| prefix | string |
Yes | Stored key prefix* |
| created_at | datetime |
Yes | Creation timestamp* |
Requires JWT token — set it in the auth bar above
Return CLI-safe account and auth state for the current owner.
Response
| Field | Type | Required | Description |
|---|---|---|---|
| username | string |
Yes | Username* |
| google_linked | boolean |
Yes | Whether Google is currently linked* |
| has_password | boolean |
Yes | Whether password sign-in exists* |
| can_unlink_google | boolean |
Yes | Safe unlink eligibility* |
| available_sign_in_methods | array |
Yes | password and or google* |
Requires owner auth — set a JWT token or API key in the auth bar above