POST /v1/auth/sudo

POST /v1/auth/sudo — re-verify the user's password and mint a 5-minute sudo-grant cookie. Subsequent calls to destructive routes (account deletion, MFA factor removal, billing-email change, API-key rotation) succeed only when the request also carries the sudo cookie. The cookie is HttpOnly + Secure + SameSite=Strict (NOT Lax — sudo never rides on cross-origin nav) and path-scoped to /v1.

Tags: auth

Request body

Required.

{
  "$ref": "#/components/schemas/SudoGrantRequest"
}

Responses

200 — Sudo cookie set on response.

{
  "$ref": "#/components/schemas/SudoGrantResponse"
}

401 — UNAUTHENTICATED — missing session OR password mismatch.

423 — ACCOUNT_LOCKED — repeated failures triggered lockout.

Code samples

TypeScript

import { firecase } from "@firecase/sdk";

const result = await firecase.post("/auth/sudo", { /* body */ });
console.log(result);

Python

import firecase

result = firecase.post("/auth/sudo", json={})
print(result)

curl

curl -X POST https://api.firecase.ai/v1/auth/sudo \
  -H "Authorization: Bearer $FIRECASE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{}'