Authentication

Firecase authenticates API requests in two distinct ways:

• API keys (Authorization: Bearer sk_…) — for server-to-server use. Mint and manage them from the dashboard.
• Session cookies — for the browser dashboard. Set by the endpoints below after the user logs in.

The endpoints on this page exist to support the browser session flow — sign-up, log-in, MFA, password reset, OAuth, and account management. Most API integrations only need an API key and never touch them.

Sign-up & log-in

• POST /v1/auth/signup — create an account
• POST /v1/auth/login — exchange credentials for a session
• POST /v1/auth/logout — revoke the current session
• POST /v1/auth/refresh — rotate the access token
• POST /v1/auth/login/magic-link/request · GET /consume — passwordless

Multi-factor authentication

• GET /v1/auth/mfa/factors — list enrolled factors
• TOTP enroll: begin → finish
• WebAuthn enroll: begin → finish
• SMS / email enroll: SMS · email
• During login: POST /v1/auth/login/mfa · state

Password management

• POST /v1/auth/forgot-password
• POST /v1/auth/reset-password
• POST /v1/auth/set-password
• POST /v1/auth/me/password — change while signed in

OAuth

• GET /v1/auth/oauth/providers — list enabled providers
• GET /v1/auth/oauth/:provider — start the flow
• GET /v1/auth/oauth/:provider/callback

Current user (me)

• GET /v1/auth/me · PATCH · DELETE
• GET /v1/auth/me/sessions — active sessions
• POST /v1/auth/me/sessions/revoke-others
• POST /v1/auth/me/email · confirm
• POST /v1/auth/me/export — GDPR data export

Invitations & recovery

• GET /v1/auth/invitations/:token · accept
• POST /v1/auth/recovery/request → complete
• POST /v1/auth/sudo — re-auth for sensitive actions