Auth API

Send OTP

POST /api/auth/send-otp

Starts the passwordless login flow. Sends a 6-digit code to the user's email address.

Request:

{ "email": "[email protected]" }

Response (200):

{ "ok": true }

Response (429): Rate limit exceeded for this email or IP address.

Verify OTP

POST /api/auth/verify-otp

Verifies the OTP code and issues a session cookie on success.

Request:

{ "email": "[email protected]", "code": "123456" }

Response (200): Sets an HttpOnly session cookie. Body:

{ "ok": true }

Response (400): Invalid or expired code.

Current user

GET /api/auth/me

Returns the currently authenticated user from the session cookie.

Response (200):

{ "email": "[email protected]" }

Response (401): No valid session.

Logout

GET /api/auth/logout

Deletes the session from KV and clears the session cookie.

Response (200):

{ "ok": true }

Session model

Sessions are stored server-side in Cloudflare KV and referenced by an opaque token in the session HttpOnly cookie. Sessions expire after 15 days of inactivity.

The cookie is:

• HttpOnly — not accessible via JavaScript
• Secure — sent only over HTTPS
• SameSite=Strict — protected from CSRF

See also

• Authentication and Access — Full auth model
• API Overview — Error codes and conventions