Skip to content
d3cloud Docs

API - Auth Routes

Source of truth: d3chat/backend/app/routers/auth.py

Prefix: /api/v1/auth

POST /register

Creates local user, creates device, creates refresh session, returns access+refresh tokens.

Request body:

{
  "username": "alice",
  "password": "StrongPass123",
  "email": "alice@example.com",
  "display_name": "Alice",
  "device_name": "MacBook"
}

Constraints:

  • username: 3-64 chars, [a-zA-Z0-9_-]+
  • password: 8-128 chars

Registration gates:

  • blocked when registration_mode is closed or invite_only
  • optional email domain allowlist check via registration_domain_allowlist

Response:

{
  "access_token": "...",
  "refresh_token": "...",
  "token_type": "bearer",
  "user_id": "<uuid>",
  "device_id": "<uuid>"
}

POST /login

Authenticates user and issues new device + tokens.

Request:

{
  "username": "alice",
  "password": "StrongPass123",
  "device_name": "iPhone"
}

Notes:

  • Rejects banned users.
  • Rejects suspended users until suspended_until.
  • Auto-clears expired suspension.

POST /refresh

Rotates refresh token and issues new access token.

Request:

{ "refresh_token": "<refresh-token>" }

POST /logout

Deletes one session by refresh token hash.

Request:

{ "refresh_token": "<refresh-token>" }

Returns 204 No Content.

POST /logout-all

Deletes all sessions for current authenticated user.

Returns 204 No Content.

POST /ws-ticket

Creates one-time WebSocket ticket (Redis setex 30 seconds TTL).

Requires Bearer token.

Response:

{ "ticket": "<opaque-ticket>" }