Overview
APILens uses a passwordless-first authentication model.- New users: enter email, receive magic link, verify, account is available
- Existing users: may continue with magic link or use password login if password exists
Main Endpoints
POST /auth/magic-linkPOST /auth/verifyPOST /auth/loginPOST /auth/refreshPOST /auth/validatePOST /auth/logout
Sequence
- Client calls
POST /auth/magic-linkwith email - User receives verification email
- Client calls
POST /auth/verifywith token - Backend returns
access_token+refresh_token - Frontend persists encrypted session cookie
- Protected routes use JWT for API calls
Session Behavior
- Access token is short-lived
- Refresh token is used to rotate session
POST /auth/refreshissues fresh token pairPOST /auth/logoutrevokes refresh session
Error Handling
- Unknown email on magic link should not leak account existence
- Expired/invalid tokens return authentication error
- Password login requires account with password already set