Skip to main content

Primary Backend Flow

  1. POST /auth/signin with email/password
  2. Receive session cookie
  3. Include cookie in subsequent requests
// Sign in
await fetch('/api/v1/auth/signin', {
  method: 'POST',
  credentials: 'include',
  body: JSON.stringify({ email, password })
});

// Make authenticated requests
await fetch('/api/v1/users', {
  credentials: 'include'
});

Mobile Backend Flow

  1. POST /auth/signin with phone number → get accessToken
  2. POST /auth/otp/create with accessToken → OTP sent via SMS
  3. POST /auth/otp/validate with OTP → get sessionToken
  4. Use sessionToken for API calls
// 1. Sign in
const { accessToken } = await fetch('/api/v1/auth/signin', {
  method: 'POST',
  body: JSON.stringify({ phoneNumber })
}).then(r => r.json());

// 2. Request OTP
await fetch('/api/v1/auth/otp/create', {
  method: 'POST',
  headers: { 'Authorization': `Bearer ${accessToken}` }
});

// 3. Validate OTP
const { sessionToken } = await fetch('/api/v1/auth/otp/validate', {
  method: 'POST',
  headers: { 'Authorization': `Bearer ${accessToken}` },
  body: JSON.stringify({ otp: '123456' })
}).then(r => r.json());

// 4. Make authenticated requests
await fetch('/api/v1/users/current', {
  headers: { 'Authorization': `Bearer ${sessionToken}` }
});

Security Best Practices

Primary Backend
  • HttpOnly cookies prevent XSS
  • Always use credentials: 'include'
  • Enable CORS for your domain
Mobile Backend
  • Store tokens in secure storage (Keychain/Keystore)
  • Handle token expiration
  • Implement OTP rate limiting