Authentication
Endpoints for logging in, refreshing tokens, managing the current user's profile, and changing credentials.
Endpoints overviewβ
| Method | Endpoint | Permission | Description |
|---|---|---|---|
POST | /auth/login | β | Log in, receive tokens |
POST | /auth/refresh | β | Refresh access token |
POST | /auth/logout | authenticated | Clear refresh token |
GET | /auth/me | authenticated | Get current user |
PATCH | /auth/me | authenticated | Update current user profile |
PATCH | /auth/change-password | authenticated | Change password |
PATCH | /auth/avatar | authenticated | Upload avatar |
DELETE | /auth/avatar | authenticated | Delete avatar |
Endpointsβ
Loginβ
POST /auth/login
Rate limited.
Request body
{ "login": "user@example.com", "password": "secret" }
Response β 200
{ "accessToken": "<jwt>" }
The refresh token is returned as an HttpOnly cookie.
Refresh tokenβ
POST /auth/refresh
Rate limited. Reads the refresh token from the HttpOnly cookie and issues a new access token.
Response β 200
{ "accessToken": "<new_jwt>" }
Logoutβ
POST /auth/logout β Auth required
Clears the refresh token cookie server-side.
Response β 204
Get current userβ
GET /auth/me β Auth required
Response β 200
{
"id": "a1b2c3d4-0000-0000-0000-000000000001",
"email": "jane@example.com",
"enName": "Jane",
"enSurname": "Smith",
"uaName": "ΠΠΆΠ΅ΠΉΠ½",
"uaSurname": "Π‘ΠΌΡΡ",
"roleId": "role-uuid",
"role": "Editor",
"avatarUrl": "/api/characters/file/avatars/jane.jpg",
"createdAt": "2025-01-10T09:00:00.000Z",
"permissions": [
{ "name": "episode:create", "scope": "global" },
{ "name": "scene:edit", "scope": "assigned" }
]
}
Update current user profileβ
PATCH /auth/me β Auth required
Request body (all fields optional)
{
"enName": "Jane",
"enSurname": "Smith",
"uaName": "ΠΠΆΠ΅ΠΉΠ½",
"uaSurname": "Π‘ΠΌΡΡ",
"roleId": "role-uuid"
}
Response β 200 β updated user object (same shape as GET /auth/me)
Change passwordβ
PATCH /auth/change-password β Auth required, Rate limited
All active sessions are revoked after a successful password change.
Request body
{
"currentPassword": "old_secret",
"newPassword": "new_secret"
}
Response β 204
Upload avatarβ
PATCH /auth/avatar β Auth required, Rate limited, multipart/form-data
Form field: file β image file (JPEG / PNG)
Response β 200 β updated user object (same shape as GET /auth/me)
Delete avatarβ
DELETE /auth/avatar β Auth required
Response β 200 β updated user object with avatarUrl: null