REST & Auth API
While the platform's primary interface is GraphQL, several services expose REST endpoints for authentication flows, content feeds, admin metrics, and SCIM provisioning.
Dev Token (Quick Auth)
The fastest way to get an authenticated session for API testing: no OAuth, no browser required.
# Issue a session token for any seeded user
curl -s -X POST http://localhost:3008/auth/dev/token \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com"}' | jq .
{
"session_token": "sess_a1b2c3d4...",
"expires_in": 86400,
"user": { "id": "...", "email": "user@example.com", "username": "user" }
}
Requires DEV_MODE=true in the auth service. Enabled by default in local development.
Use the token in subsequent requests:
export TOKEN="sess_a1b2c3d4..."
# GraphQL
curl http://localhost:30000/graphql \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"query": "{ me { id email } }"}'
# REST (auth service)
curl http://localhost:3008/me \
-H "Cookie: session_token=$TOKEN"
Auth Service (`localhost:3008`)
OAuth Flows
| Method |
Endpoint |
Description |
GET |
/auth/oauth/:provider |
Initiate OAuth login (redirects to provider). Providers: google, apple, twitter, facebook |
GET |
/auth/oauth/:provider/callback |
OAuth callback (provider redirects back here) |
POST |
/auth/logout |
Destroy session (requires cookie) |
POST |
/auth/refresh |
Refresh session token (cookie-based) |
# Initiate Google OAuth (open in browser)
open "http://localhost:3008/auth/oauth/google"
Email OTP (Passwordless)
| Method |
Endpoint |
Description |
POST |
/auth/email/login/start |
Send 6-digit OTP to email |
POST |
/auth/email/login/finish |
Verify OTP and create session |
GET |
/auth/email/check?email=... |
Check if email exists |
# Start email login
curl -X POST http://localhost:3008/auth/email/login/start \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com"}'
# Verify OTP
curl -X POST http://localhost:3008/auth/email/login/finish \
-H "Content-Type: application/json" \
-d '{"email": "user@example.com", "code": "123456"}'
Magic Links
| Method |
Endpoint |
Description |
POST |
/auth/magic-link/start |
Send magic link email |
POST |
/auth/magic-link/verify |
Verify magic link token |
Passkeys (WebAuthn)
| Method |
Endpoint |
Description |
Auth |
POST |
/auth/passkey/login/start |
Get WebAuthn challenge |
Public |
POST |
/auth/passkey/login/finish |
Verify WebAuthn response |
Public |
POST |
/auth/passkey/register/start |
Start passkey registration |
๐ Session |
POST |
/auth/passkey/register/finish |
Complete registration |
๐ Session |
MFA (Two-Factor)
| Method |
Endpoint |
Description |
Auth |
POST |
/auth/mfa/verify |
Verify MFA challenge (TOTP or SMS) |
Public |
POST |
/auth/mfa/backup |
Use backup code |
Public |
GET |
/auth/mfa/status |
Check MFA enrollment status |
๐ Session |
POST |
/auth/mfa/totp/enroll |
Start TOTP enrollment |
๐ Session |
POST |
/auth/mfa/totp/confirm |
Confirm TOTP enrollment |
๐ Session |
POST |
/auth/mfa/sms/enroll |
Start SMS enrollment |
๐ Session |
POST |
/auth/mfa/sms/confirm |
Confirm SMS enrollment |
๐ Session |
POST |
/auth/mfa/disable |
Disable MFA |
๐ Session |
POST |
/auth/mfa/backup/regenerate |
Regenerate backup codes |
๐ Session |
Mobile Token Exchange
For native mobile apps (React Native / KMP) that handle OAuth client-side:
| Method |
Endpoint |
Description |
POST |
/auth/mobile/token |
Exchange provider access_token for session tokens |
POST |
/auth/mobile/refresh |
Refresh session via JSON body |
POST |
/auth/mobile/logout |
Logout via Bearer header |
# Exchange a Google access token for session tokens
curl -X POST http://localhost:3008/auth/mobile/token \
-H "Content-Type: application/json" \
-d '{
"provider": "google",
"access_token": "ya29.a0AfH6..."
}'
Response:
{
"session_token": "sess_...",
"refresh_token": "ref_...",
"expires_in": 900,
"refresh_expires_in": 2592000,
"user": { "id": "...", "email": "..." }
}
SAML SSO
| Method |
Endpoint |
Description |
POST |
/auth/saml/:org_id/acs |
SAML Assertion Consumer Service (IdP posts here) |
GET |
/auth/saml/:org_id/metadata |
SAML Service Provider metadata XML |
Session Validation
| Method |
Endpoint |
Description |
GET |
/auth/validate |
Validate session cookie (used by gateway) |
GET |
/me |
Get current user profile |
GET |
/auth/phone/check?phone=... |
Check if phone exists |
Gateway (`localhost:30000`)
Content Feeds
| Method |
Endpoint |
Description |
GET |
/sitemap.xml |
Sitemap index |
GET |
/sitemap-malets.xml |
Malets sitemap |
GET |
/sitemap-blogs.xml |
All blogs sitemap |
GET |
/sitemap/m/:handle/blogs.xml |
Per-Malet blog sitemap |
GET |
/rss/m/:handle/blogs.xml |
Per-Malet RSS 2.0+Atom feed |
# Get RSS feed for a Malet
curl http://localhost:30000/rss/m/my-coffee-shop/blogs.xml
Admin Metrics
| Method |
Endpoint |
Description |
Auth |
GET |
/admin/metrics |
JSON metrics (operations, cache, errors) |
None (admin port) |
GET |
/admin/metrics/prometheus |
Prometheus text format |
None (admin port) |
# JSON metrics
curl http://localhost:30000/admin/metrics | jq .
# Prometheus format
curl http://localhost:30000/admin/metrics/prometheus
GraphQL
| Method |
Endpoint |
Description |
POST |
/graphql |
Federated GraphQL endpoint |
See the GraphQL API guide for full details.
SCIM Service (`localhost:3019`)
SCIM 2.0 (RFC 7644) for enterprise user provisioning. Requires a SCIM bearer token generated via the Organizations GraphQL API.
Discovery
| Method |
Endpoint |
Description |
GET |
/scim/v2/ServiceProviderConfig |
SCIM capabilities |
GET |
/scim/v2/Schemas |
Supported schemas |
GET |
/scim/v2/ResourceTypes |
Resource type definitions |
Users
| Method |
Endpoint |
Description |
GET |
/scim/v2/Users |
List provisioned users (supports filter) |
GET |
/scim/v2/Users/:id |
Get user by ID |
POST |
/scim/v2/Users |
Create (provision) user |
PUT |
/scim/v2/Users/:id |
Replace user |
PATCH |
/scim/v2/Users/:id |
Partial update (status, name) |
DELETE |
/scim/v2/Users/:id |
Deprovision user |
# List SCIM users (requires SCIM token)
curl http://localhost:3019/scim/v2/Users \
-H "Authorization: Bearer scim_token_here"
# Filter by username
curl "http://localhost:3019/scim/v2/Users?filter=userName%20eq%20%22john%22" \
-H "Authorization: Bearer scim_token_here"
Groups (Stub)
| Method |
Endpoint |
Description |
GET |
/scim/v2/Groups |
List groups (delegated to organizations service) |
Auth Flow Summary
โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
โ Browser โ โ Auth Service โ โ Gateway โ
โ (Frontend) โ โ (:3008) โ โ (:30000) โ
โโโโโโโโฌโโโโโโโโ โโโโโโโโฌโโโโโโโโ โโโโโโโโฌโโโโโโโโ
โ โ โ
โ GET /auth/oauth/ โ โ
โ google โโโโโโโโโโโโโ>โ โ
โ โ โ
โ <โโ redirect to โโโโโโ โ
โ Google โ โ
โ โ โ
โ callback + cookie โโ>โ โ
โ <โโ session_token โโโโ โ
โ (Set-Cookie) โ โ
โ โ โ
โ POST /graphql โโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโ>โ
โ (Cookie: session_t) โ GET /auth/validate โ
โ โ<โโโโโโโโโโโโโโโโโโโโโโโ
โ โ {user_id, email} โ
โ โโโโโโโโโโโโโโโโโโโโโโโ>โ
โ โ โ
โ <โโ GraphQL responseโโผโโโโโโโโโโโโโโโโโโโโโโโ
โ โ โ
โโ API / CLI Flow โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โโโโโโโโโโโโ โโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
โ curl / โ โ Auth Service โ โ Gateway โ
โ Postman โ โ (:3008) โ โ (:30000) โ
โโโโโโฌโโโโโโ โโโโโโโโฌโโโโโโโโ โโโโโโโโฌโโโโโโโโ
โ โ โ
โ POST /auth/dev/token โโ>โ โ
โ {"email": "..."} โ โ
โ <โโ session_token โโโโโโโ โ
โ โ โ
โ POST /graphql โโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโ>โ
โ (Bearer: session_t) โ POST /validate-tokenโ
โ โ<โโโโโโโโโโโโโโโโโโโโโโโ
โ โ {user_id, email} โ
โ โโโโโโโโโโโโโโโโโโโโโโโ>โ
โ โ โ
โ <โโ GraphQL response โโโโผโโโโโโโโโโโโโโโโโโโโโโโ