Auth API
Base path: /api/auth
File: ayts-api/src/routes/auth.ts
Rate limited: Yes (auth endpoints)
POST /api/auth/register
Create a new customer account (pre-confirmed, no email verification required).
Request:
{
"email": "user@example.com",
"password": "securepassword",
"firstName": "Juan",
"lastName": "dela Cruz",
"phone": "+639171234567"
}
Response 200:
{
"success": true,
"user": { "id": "uuid", "email": "...", "firstName": "...", "role": "customer" },
"token": "eyJ...",
"refreshToken": "eyJ..."
}
Validation:
email— valid email formatpassword— min 8 charactersfirstName,lastName— required, max 100 charsphone— optional
POST /api/auth/login
{
"email": "user@example.com",
"password": "securepassword"
}
Response 200:
{
"success": true,
"token": "eyJ...",
"refreshToken": "eyJ...",
"user": { "id": "uuid", "email": "...", "role": "customer" }
}
Response 401: Invalid credentials
Response 403: Account deactivated/banned
POST /api/auth/forgot-password
{ "email": "user@example.com" }
Sends a password reset email via Supabase (Resend backend). Always returns 200 to prevent email enumeration.
Response 200:
{ "success": true, "message": "If the email exists, a reset link has been sent." }
POST /api/auth/reset-password
{
"password": "newpassword",
"access_token": "supabase_token_from_email_link"
}
Response 200:
{ "success": true, "message": "Password updated successfully." }
POST /api/auth/refresh
{ "refreshToken": "eyJ..." }
Response 200:
{
"success": true,
"token": "eyJ...",
"refreshToken": "eyJ..."
}
GET /api/auth/me
Requires: Authorization: Bearer {token}
Response 200:
{
"success": true,
"user": {
"id": "uuid",
"email": "...",
"firstName": "...",
"lastName": "...",
"role": "customer",
"isActive": true
}
}
PATCH /api/auth/profile
Requires: Authorization: Bearer {token}
{
"firstName": "Juan",
"lastName": "dela Cruz",
"phone": "+639171234567",
"avatarUrl": "https://r2.../avatar.jpg",
"defaultLocationId": "uuid"
}