Authentication

Ablebase uses session-based authentication provided by Better Auth. Auth endpoints are served at /api/auth/* and are not part of the versioned /v1 API.

POST /api/auth/sign-up/email
Content-Type: application/json

{
  "name": "Jane Smith",
  "email": "jane@example.com",
  "password": "your-password"
}

Self-service sign-up must be enabled by the administrator (ALLOW_SIGNUP=true). On success, a personal organization is created automatically and a session cookie is set.

POST /api/auth/sign-in/email
Content-Type: application/json

{
  "email": "jane@example.com",
  "password": "your-password"
}

Returns a Set-Cookie header with a Secure, HttpOnly, SameSite session cookie. Include this cookie in all subsequent requests.

GitHub OAuth

Redirect the user to:

GET /api/auth/sign-in/github

The callback URL is /api/auth/callback/github. GitHub OAuth can only sign in to existing accounts — it cannot create new ones.

Get current session

GET /api/auth/get-session

Returns the current session and user object, or null if not authenticated.

Sign out

POST /api/auth/sign-out

Invalidates the session cookie.

Password reset

Request a reset email:

POST /api/auth/forget-password
Content-Type: application/json

{
  "email": "jane@example.com",
  "redirectTo": "https://your-domain/reset-password"
}

Submit the new password (using the token from the email):

POST /api/auth/reset-password
Content-Type: application/json

{
  "token": "<token-from-email>",
  "newPassword": "new-password"
}

Organization context

Most /v1 endpoints require the request to be scoped to an organization via the :orgId path parameter. The session’s activeOrganizationId is used by the web app, but API callers should pass the organization ID explicitly in the URL.

To set the active organization on a session:

POST /api/auth/organization/set-active
Content-Type: application/json

{
  "organizationId": "<org-id>"
}