Authentication supports browser sessions and PAT-based integration. Browser sessions use the ces_session cookie and CSRF protection. Server integrations normally use Authorization: Bearer <PAT>.
Endpoints
| Method | Path | Description |
|---|---|---|
GET | /health | Public service health check |
GET | /api/v1/health/live | Liveness probe |
GET | /api/v1/health/ready | Readiness probe |
POST | /api/v1/auth/login | Authenticate with email and password; sets session cookie |
POST | /api/v1/auth/logout | Clear current session |
POST | /api/v1/auth/refresh | Refresh current session |
GET | /api/v1/auth/csrf | Return CSRF token for cookie-authenticated writes |
POST | /api/v1/auth/forgot-password | Start password reset flow |
GET | /api/v1/auth/me | Return current authenticated user and tenant context |
POST /api/v1/auth/login
Request body (LoginDto)
| Field | Type | Required | Description |
|---|---|---|---|
email | string (email) | yes | User email address |
password | string | yes | Password, 8 to 128 characters |
Shell
curl -X POST {{BASE_URL}}/api/v1/auth/login \-H "Content-Type: application/json" \-d '{ "email": "user@example.com", "password": "********" }'
200 OK authenticates the user and sets the ces_session cookie.
Session endpoints
| Method | Path | Success |
|---|---|---|
POST | /api/v1/auth/logout | 204 No Content |
POST | /api/v1/auth/refresh | 200 OK |
GET | /api/v1/auth/csrf | 200 OK |
GET | /api/v1/auth/me | 200 OK |
Use the CSRF token as X-CSRF-Token on cookie-authenticated POST, PUT, PATCH and DELETE requests.
POST /api/v1/auth/forgot-password
Request body (ForgotPasswordDto)
| Field | Type | Required | Description |
|---|---|---|---|
email | string (email) | yes | Account email address |
204 No Content means the request was accepted. The response does not reveal whether the email exists.
Health endpoints
GET /health and GET /api/v1/health/live return 200 OK when the process is alive. GET /api/v1/health/ready returns 200 OK when dependencies are ready and 503 Service Unavailable when they are not.