Skip to main content

Authentication

The Ever Works API uses JWT (JSON Web Token) Bearer authentication. All endpoints are protected by default — only endpoints explicitly marked as public can be accessed without a token.

Registration

Create a new account:

curl -X POST http://localhost:3100/api/auth/register \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"password": "your-password",
"username": "myuser"
}'

Returns access and refresh tokens on success.

Login

Authenticate with email and password:

curl -X POST http://localhost:3100/api/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "[email protected]",
"password": "your-password"
}'

Response:

{
"accessToken": "eyJhbG...",
"refreshToken": "eyJhbG..."
}

Use the accessToken in subsequent requests:

Authorization: Bearer eyJhbG...

Token Refresh

Access tokens expire based on the JWT_ACCESS_TOKEN_EXPIRATION setting (default: 7 days). Use the refresh token to get a new access token:

curl -X POST http://localhost:3100/api/auth/refresh \
-H "Content-Type: application/json" \
-d '{"refreshToken": "eyJhbG..."}'

Refresh tokens expire based on JWT_REFRESH_TOKEN_EXPIRATION_DAYS (default: 14 days).

Logout

Invalidate a specific refresh token:

curl -X POST http://localhost:3100/api/auth/logout \
-H "Authorization: Bearer <access-token>" \
-H "Content-Type: application/json" \
-d '{"refreshToken": "eyJhbG..."}'

Invalidate all refresh tokens (logout from all devices):

curl -X POST http://localhost:3100/api/auth/logout-all \
-H "Authorization: Bearer <access-token>"

Profile

MethodEndpointDescription
GET/api/auth/profileGet profile from JWT payload
GET/api/auth/profile/freshGet fresh profile from database
PUT/api/auth/profileUpdate profile information

Password Management

MethodEndpointAuthDescription
POST/api/auth/update-passwordRequiredChange password (requires current password)
POST/api/auth/forgot-passwordPublicRequest password reset email
POST/api/auth/reset-passwordPublicReset password with token from email
GET/api/auth/validate-reset-tokenPublicCheck if a reset token is valid

Email Verification

MethodEndpointAuthDescription
POST/api/auth/send-verificationRequiredSend verification email
POST/api/auth/verify-emailPublicVerify email with token
GET/api/auth/validate-email-tokenPublicCheck if a verification token is valid

OAuth

The API supports OAuth authentication with GitHub and Google. OAuth endpoints are mounted at /api/oauth/.

Get OAuth URL

Generate an authorization URL to redirect the user:

# GitHub
curl "http://localhost:3100/api/oauth/github/url?callbackUrl=http://localhost:3000/auth/callback"

# Google
curl "http://localhost:3100/api/oauth/google/url?callbackUrl=http://localhost:3000/auth/callback"

Response:

{
"url": "https://github.com/login/oauth/authorize?client_id=..."
}

OAuth Callbacks

MethodEndpointDescription
GET/api/oauth/githubInitiate GitHub OAuth flow
GET/api/oauth/github/callbackGitHub OAuth callback — returns tokens
GET/api/oauth/googleInitiate Google OAuth flow
GET/api/oauth/google/callbackGoogle OAuth callback — returns tokens

Plugin OAuth Connections

Plugins that require OAuth (e.g., GitHub for repository access) use a separate provider-agnostic OAuth flow. See Other Modules — Plugin OAuth for details.

Configuration

JWT settings are configured via environment variables:

VariableDefaultDescription
JWT_SECRETRequired. Secret key for signing tokens
JWT_ACCESS_TOKEN_EXPIRATION7dAccess token TTL (e.g., 15m, 1h, 7d, never)
JWT_REFRESH_TOKEN_EXPIRATION_DAYS14Refresh token TTL in days (or never)
GH_CLIENT_IDGitHub OAuth client ID
GH_CLIENT_SECRETGitHub OAuth client secret
GOOGLE_CLIENT_IDGoogle OAuth client ID
GOOGLE_CLIENT_SECRETGoogle OAuth client secret