Auth
Built-in authentication with JWT tokens. Sign up, sign in, refresh, and sign out — all via REST.
POST /auth/signup
Create a new account. Returns the user and a token pair.
request
curl -X POST https://my-app.based.yourdomain.com/auth/signup \
-H "Content-Type: application/json" \
-d '{ "email": "user@example.com", "password": "secret123" }'response — 201
{
"user": { "id": 1, "email": "user@example.com" },
"accessToken": "eyJhbG...",
"refreshToken": "eyJhbG..."
}POST /auth/signin
Sign in with existing credentials. Returns the user and a token pair.
request
curl -X POST https://my-app.based.yourdomain.com/auth/signin \
-H "Content-Type: application/json" \
-d '{ "email": "user@example.com", "password": "secret123" }'response — 200
{
"user": { "id": 1, "email": "user@example.com" },
"accessToken": "eyJhbG...",
"refreshToken": "eyJhbG..."
}POST /auth/refresh
Exchange a refresh token for a new token pair.
request
curl -X POST https://my-app.based.yourdomain.com/auth/refresh \
-H "Content-Type: application/json" \
-d '{ "refreshToken": "eyJhbG..." }'response — 200
{
"accessToken": "eyJhbG...",
"refreshToken": "eyJhbG..."
}GET /auth/me
Return the authenticated user's profile — no client-side JWT decoding required. Requires a Bearer token (anon key is rejected).
request
curl https://my-app.based.yourdomain.com/auth/me \
-H "Authorization: Bearer eyJhbG..."response — 200
{
"data": {
"id": "abc123",
"email": "user@example.com",
"createdAt": 1714000000000
}
}POST /auth/signout
Invalidate the current session. Requires a valid Bearer token.
request
curl -X POST https://my-app.based.yourdomain.com/auth/signout \
-H "Authorization: Bearer eyJhbG..."Auth middleware
Protected endpoints require a Bearer token in the Authorization header.
authenticated request
Authorization: Bearer <accessToken>For anonymous read-only access, pass your project anon key in the apikey header instead.
anonymous request
apikey: <anonKey>Token lifetimes
| Token | Expires |
|---|---|
| Access token | 1 hour |
| Refresh token | 7 days |