Auth
Thogits uses session-based authentication. After registering or logging in, the server sets an HTTP-only session cookie that authenticates subsequent requests. All auth endpoints are under /api/auth/.
POST /auth/register
Section titled “POST /auth/register”Create a new account with email and password.
Auth required: No
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Email address |
password | string | Yes | Password (minimum 8 characters) |
curl -X POST https://app.thogits.com/api/auth/register \ -H "Content-Type: application/json" \ -c cookies.txt \ -d '{"email": "user@example.com", "password": "securepass123"}'Response (200):
{ "user_id": "01HQ8A1B2CDEFGHIJK3LMNOP4Q", "email": "user@example.com", "display_name": null, "created_at": "2025-01-15T10:00:00Z", "oauth_providers": [], "has_password": true, "has_totp": false}A session cookie is set automatically. You can immediately make authenticated requests.
Errors:
| Status | Cause |
|---|---|
| 400 | Invalid email, password too short, or email already registered |
POST /auth/login
Section titled “POST /auth/login”Authenticate with email and password.
Auth required: No
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
email | string | Yes | Email address |
password | string | Yes | Password |
curl -X POST https://app.thogits.com/api/auth/login \ -H "Content-Type: application/json" \ -b cookies.txt -c cookies.txt \ -d '{"email": "user@example.com", "password": "securepass123"}'Response (200) — success:
{ "user_id": "01HQ8A1B2CDEFGHIJK3LMNOP4Q", "email": "user@example.com", "display_name": "Alice", "created_at": "2025-01-15T10:00:00Z", "oauth_providers": ["google"], "has_password": true, "has_totp": true}Response (200) — TOTP required:
If the account has two-factor authentication enabled, the password check succeeds but returns a partial session:
{ "needs_2fa": true}You must then call POST /auth/2fa/totp/verify with the 6-digit code to complete login.
Errors:
| Status | Cause |
|---|---|
| 401 | Invalid email or password |
POST /auth/logout
Section titled “POST /auth/logout”End the current session.
Auth required: Yes
curl -X POST https://app.thogits.com/api/auth/logout \ -b cookies.txt -c cookies.txtResponse (200):
{"message": "Logged out"}GET /auth/me
Section titled “GET /auth/me”Get the current authenticated user’s information.
Auth required: Yes
curl https://app.thogits.com/api/auth/me \ -b cookies.txt -c cookies.txtResponse (200): The UserInfo object (same shape as the register/login response).
Errors:
| Status | Cause |
|---|---|
| 401 | Not authenticated |
PUT /auth/profile
Section titled “PUT /auth/profile”Update the current user’s profile.
Auth required: Yes
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
display_name | string | No | Display name |
curl -X PUT https://app.thogits.com/api/auth/profile \ -H "Content-Type: application/json" \ -b cookies.txt -c cookies.txt \ -d '{"display_name": "Alice"}'Response (200): The updated UserInfo object.
POST /auth/password
Section titled “POST /auth/password”Change the current user’s password.
Auth required: Yes
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
current_password | string | Yes | Current password for verification |
new_password | string | Yes | New password (minimum 8 characters) |
curl -X POST https://app.thogits.com/api/auth/password \ -H "Content-Type: application/json" \ -b cookies.txt -c cookies.txt \ -d '{"current_password": "securepass123", "new_password": "evenmoresecure456"}'Response (200):
{"message": "Password updated"}Errors:
| Status | Cause |
|---|---|
| 400 | New password too short |
| 401 | Current password incorrect |