Skip to content

Authentication

Ablebase uses session-based authentication provided by Better Auth. Auth endpoints are served at /api/auth/* and are not part of the versioned /v1 API.

POST /api/auth/sign-up/email
Content-Type: application/json
{
"name": "Jane Smith",
"email": "jane@example.com",
"password": "your-password"
}

Self-service sign-up must be enabled by the administrator (ALLOW_SIGNUP=true). On success, a personal organization is created automatically and a session cookie is set.

Clients can discover whether sign-up is currently available via the unauthenticated GET /v1/public-config endpoint. When sign-up is disabled, the web app hides its sign-up affordances and the /signup route redirects to /login.

POST /api/auth/sign-in/email
Content-Type: application/json
{
"email": "jane@example.com",
"password": "your-password"
}

Returns a Set-Cookie header with a Secure, HttpOnly, SameSite session cookie. Include this cookie in all subsequent requests.

Redirect the user to:

GET /api/auth/sign-in/github

The callback URL is /api/auth/callback/github. When self-service sign-up is enabled (ALLOW_SIGNUP=true), GitHub OAuth creates a new account (and personal organization) on first sign-in. When sign-up is disabled, GitHub OAuth can only sign in to existing accounts — first-time sign-ins are rejected.

GET /api/auth/get-session

Returns the current session and user object, or null if not authenticated.

GET /v1/public-config

Returns non-sensitive configuration the web client needs before a user is signed in. Unlike other /v1 endpoints, this one requires no session.

{
"signupEnabled": true
}
Field Type Meaning
signupEnabled boolean Whether self-service sign-up is available (mirrors ALLOW_SIGNUP).
POST /api/auth/sign-out

Invalidates the session cookie.

Request a reset email:

POST /api/auth/forget-password
Content-Type: application/json
{
"email": "jane@example.com",
"redirectTo": "https://your-domain/reset-password"
}

Submit the new password (using the token from the email):

POST /api/auth/reset-password
Content-Type: application/json
{
"token": "<token-from-email>",
"newPassword": "new-password"
}

Most /v1 endpoints require the request to be scoped to an organization via the :orgId path parameter. The session’s activeOrganizationId is used by the web app, but API callers should pass the organization ID explicitly in the URL.

To set the active organization on a session:

POST /api/auth/organization/set-active
Content-Type: application/json
{
"organizationId": "<org-id>"
}