Skip to content

Auth API Route Reference

This page maps the current route groups exposed by seamless-auth-api.

It is not a replacement for the generated OpenAPI document, but it gives you a reliable top-level map of the auth server surface as it exists in the source repo today.


GroupRoutesPurpose
Authentication/login, /logout, /refreshLogin entry, logout, access refresh
Registration/registration/registerNew-user registration
OTP/otp/*Email and phone OTP generation and verification
WebAuthn/webauthn/*Passkey registration and login
Magic Links/magic-link*Magic link request, polling, verification
OAuth/oauth/*External provider login start and callback
TOTP/totp/*TOTP enrollment, login MFA, and step-up verification
Step-up Auth/step-up/*Fresh WebAuthn verification before sensitive actions
Users/users/*Authenticated user profile and credential operations
Organizations/organizations/*Self-service organization and membership operations
Sessions/sessions*Session listing and revocation
Admin/admin/*Admin-only users, orgs, events, sessions, recovery
Internal/internal/*Metrics, grouped events, login stats, anomalies
System Config/system-config/*Available roles and runtime config
Bootstrap/internal/bootstrap/admin-inviteFirst-admin bootstrap invite creation
JWKS/.well-known/jwks.jsonPublic JWKS endpoint
Health/health/*Status and version probes

MethodPathPurpose
POST/loginStart login using email or phone
GET/logoutDeprecated compatibility route for all-session logout
DELETE/logoutLogout the current session
DELETE/logout/allLogout every session owned by the current user
POST/refreshRefresh access state using a valid refresh token state

POST /refresh is the supported refresh method. The route explicitly rejects other HTTP methods.


MethodPathPurpose
POST/registration/registerRegister a new user

MethodPathPurpose
GET/otp/generate-email-otpGenerate registration email OTP
GET/otp/generate-phone-otpGenerate registration phone OTP
GET/otp/generate-login-email-otpGenerate login email OTP
GET/otp/generate-login-phone-otpGenerate login phone OTP
POST/otp/verify-email-otpVerify registration email OTP
POST/otp/verify-phone-otpVerify registration phone OTP
POST/otp/verify-login-email-otpVerify login email OTP
POST/otp/verify-login-phone-otpVerify login phone OTP

These routes use ephemeral auth state during in-progress auth flows.


MethodPathPurpose
GET/webauthn/register/startStart passkey registration
POST/webauthn/register/finishFinish passkey registration
POST/webauthn/login/startStart passkey login
POST/webauthn/login/finishFinish passkey login

Registration start accepts requestPrf=true or requirePrf=true query flags. Assertion start can accept an optional PRF request body. The auth server verifies the passkey assertion but does not store or return PRF output.


MethodPathPurpose
GET/magic-linkRequest a magic login link
GET/magic-link/checkPoll for confirmation
GET/magic-link/verify/:tokenVerify a magic link token

MethodPathPurpose
GET/oauth/providersList enabled OAuth providers
POST/oauth/:providerId/startStart provider authorization
POST/oauth/:providerId/callbackFinish provider login and link user

OAuth provider secrets live in environment variables referenced by system config. Provider access tokens are used only during callback handling and are not returned to browser clients.


MethodPathPurpose
GET/totp/statusGet TOTP status for the current user
POST/totp/enroll/startStart TOTP enrollment
POST/totp/enroll/verifyVerify and enable TOTP enrollment
POST/totp/disableDisable TOTP for the current user
POST/totp/verify-loginVerify TOTP during login
POST/totp/verify-mfaVerify TOTP for MFA or step-up authentication

TOTP verification requests use a six-digit code field.


MethodPathPurpose
GET/step-up/statusReturn current session step-up freshness
POST/step-up/webauthn/startStart passkey step-up verification
POST/step-up/webauthn/finishFinish passkey step-up and mark session fresh

These routes require an authenticated access session. TOTP step-up completion is exposed through POST /totp/verify-mfa.


MethodPathPurpose
GET/users/meReturn authenticated user and credentials
POST/users/credentialsUpdate credential metadata
DELETE/users/credentialsDelete a credential
DELETE/users/deleteDelete the authenticated user

MethodPathPurpose
GET/organizationsList organizations for current user
POST/organizationsCreate organization
GET/organizations/:organizationIdGet organization
PATCH/organizations/:organizationIdUpdate organization
POST/organizations/:organizationId/switchSwitch active organization
GET/organizations/:organizationId/membersList organization members
POST/organizations/:organizationId/membersAdd organization member
PATCH/organizations/:organizationId/members/:userIdUpdate organization member roles
DELETE/organizations/:organizationId/members/:userIdRemove organization member

Organization member inputs accept either userId or email plus optional roles and scopes.


MethodPathPurpose
GET/sessionsList active sessions for the current user
DELETE/sessions/:idRevoke one session
DELETE/sessionsRevoke all sessions for the current user

All admin routes require authenticated admin access. Read routes accept admin, admin:read, or admin:write; write routes accept admin or admin:write.

MethodPathPurpose
GET/admin/usersList users
POST/admin/usersCreate user
DELETE/admin/usersDelete user
GET/admin/users/:userIdGet user detail
PATCH/admin/users/:userIdUpdate user
GET/admin/users/:userId/anomaliesGet anomalies for a user
POST/admin/users/:userId/recovery/device-replacementPrepare user for device replacement
GET/admin/auth-eventsQuery auth events
GET/admin/credential-countGet credential counts
GET/admin/sessionsList all sessions
GET/admin/sessions/:userIdList sessions for one user
DELETE/admin/sessions/by-id/:idRevoke one session by session ID
DELETE/admin/sessions/:userId/revoke-allRevoke all sessions for one user
GET/admin/organizationsList organizations
POST/admin/organizationsCreate organization
GET/admin/organizations/:organizationIdGet organization
PATCH/admin/organizations/:organizationIdUpdate organization
GET/admin/organizations/:organizationId/membersList organization members
POST/admin/organizations/:organizationId/membersAdd organization member
PATCH/admin/organizations/:organizationId/members/:userIdUpdate organization member
DELETE/admin/organizations/:organizationId/members/:userIdRemove organization member

The device-replacement recovery route requires fresh step-up authentication and returns counts for revoked sessions, removed passkeys, and disabled TOTP credentials.


These endpoints are especially important for the admin dashboard.

MethodPathPurpose
GET/internal/auth-events/summaryEvent summary metrics
GET/internal/auth-events/timeseriesEvent timeseries metrics
GET/internal/auth-events/login-statsLogin success/failure stats
GET/internal/auth-events/groupedGrouped auth event summaries
GET/internal/security/anomaliesSuspicious activity feed
GET/internal/metrics/dashboardDashboard summary metrics

MethodPathPurpose
GET/system-config/rolesGet available roles
GET/system-config/adminRead current system configuration
PATCH/system-config/adminUpdate system configuration

System config includes roles, token TTLs, login methods, OAuth providers, lockout policy, passkey fallback policy, WebAuthn relying party ID, and allowed origins.

For field-level behavior, see System Config Reference.


MethodPathPurpose
POST/internal/bootstrap/admin-inviteCreate a first-admin bootstrap invite

This is an internal bootstrap route used by the CLI and guarded by the bootstrap secret flow.


MethodPathPurpose
GET/.well-known/jwks.jsonPublish public keys for verification

For token and JWKS details, see Cookie, Session, And Token Reference.


MethodPathPurpose
GET/health/statusHealth check endpoint
GET/health/versionAPI version information