Mnueron's auth surface is HTTP-only — sessions are stored in an httpOnly cookie, raw tokens never reach client-side JS. Most external integrations skip the cookie path and use a bearer token straight away.
POST /api/auth/login
curl -X POST https://www.mnueron.com/api/auth/login \
-H "Content-Type: application/json" \
-d '{ "email": "you@example.com", "password": "…" }'
Returns { user, org } on success and sets the mnueron_session cookie. 401 on bad credentials.
POST /api/auth/signup
curl -X POST https://www.mnueron.com/api/auth/signup \
-H "Content-Type: application/json" \
-d '{
"email": "you@example.com",
"password": "longer-than-eight-chars",
"name": "You",
"org_name": "Your workspace"
}'
201 returns { user, org, email_verification_sent: true }. Creates the user + org + a default API token in one transaction. Cloudflare Turnstile captcha may be required (captchaToken field) in production.
POST /api/auth/logout
Clears the session cookie. Returns { ok: true }.
GET /api/auth/me
Returns the current { user, org } for either a session cookie or a bearer token. 401 when not signed in.
PATCH /api/auth/me
Update the current user's name.
{ "name": "Alice C." }
DELETE /api/auth/me
Self-serve account deletion. Body { "password": "…" } for re-auth. Returns { ok: true, counts } and clears the cookie.
Email verification & password reset
POST /api/auth/verify-emailbody{ token }POST /api/auth/resend-verification(requires auth, rate-limited)POST /api/auth/reset-requestbody{ email }— always returns 200 (no user enumeration)POST /api/auth/reset-consumebody{ token, password }
Google OAuth
GET /api/auth/oauth/google/start— 302 to GoogleGET /api/auth/oauth/google/callback— Google returns here; sets session cookie and redirects to/dashboardon success
API tokens
GET /api/auth/tokens— list (no hashes leaked)POST /api/auth/tokens— body{ name? }. Returns{ id, prefix, raw, name, created_at }. raw shown once.DELETE /api/auth/tokens/:id— revoke;204