Authentication
Ablebase uses session-based authentication provided by Better Auth. Auth endpoints are served at /api/auth/* and are not part of the versioned /v1 API.
Sign up
Section titled “Sign up”POST /api/auth/sign-up/emailContent-Type: application/json
{ "name": "Jane Smith", "email": "jane@example.com", "password": "your-password"}Self-service sign-up must be enabled by the administrator (ALLOW_SIGNUP=true). On success, a personal organization is created automatically and a session cookie is set.
Clients can discover whether sign-up is currently available via the unauthenticated GET /v1/public-config endpoint. When sign-up is disabled, the web app hides its sign-up affordances and the /signup route redirects to /login.
Sign in
Section titled “Sign in”POST /api/auth/sign-in/emailContent-Type: application/json
{ "email": "jane@example.com", "password": "your-password"}Returns a Set-Cookie header with a Secure, HttpOnly, SameSite session cookie. Include this cookie in all subsequent requests.
GitHub OAuth
Section titled “GitHub OAuth”Redirect the user to:
GET /api/auth/sign-in/githubThe callback URL is /api/auth/callback/github. When self-service sign-up is enabled (ALLOW_SIGNUP=true), GitHub OAuth creates a new account (and personal organization) on first sign-in. When sign-up is disabled, GitHub OAuth can only sign in to existing accounts — first-time sign-ins are rejected.
Get current session
Section titled “Get current session”GET /api/auth/get-sessionReturns the current session and user object, or null if not authenticated.
Public configuration
Section titled “Public configuration”GET /v1/public-configReturns non-sensitive configuration the web client needs before a user is signed in. Unlike other /v1 endpoints, this one requires no session.
{ "signupEnabled": true}| Field | Type | Meaning |
|---|---|---|
signupEnabled |
boolean | Whether self-service sign-up is available (mirrors ALLOW_SIGNUP). |
Sign out
Section titled “Sign out”POST /api/auth/sign-outInvalidates the session cookie.
Password reset
Section titled “Password reset”Request a reset email:
POST /api/auth/forget-passwordContent-Type: application/json
{ "email": "jane@example.com", "redirectTo": "https://your-domain/reset-password"}Submit the new password (using the token from the email):
POST /api/auth/reset-passwordContent-Type: application/json
{ "token": "<token-from-email>", "newPassword": "new-password"}Organization context
Section titled “Organization context”Most /v1 endpoints require the request to be scoped to an organization via the :orgId path parameter. The session’s activeOrganizationId is used by the web app, but API callers should pass the organization ID explicitly in the URL.
To set the active organization on a session:
POST /api/auth/organization/set-activeContent-Type: application/json
{ "organizationId": "<org-id>"}