Authentication¶
Authentication endpoints for login, user info, initial setup, and multi-factor authentication (MFA).
All endpoints are under /api/v1/auth/.
POST /api/v1/auth/token/¶
Authenticate with username and password. Returns an API key for subsequent Bearer token auth.
If MFA is enabled on the account, the response returns requires_mfa: true with an empty key. The client must then call POST /api/v1/auth/mfa/login-verify/ to complete authentication.
Authentication: None required.
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
username | string | yes | Username |
password | string | yes | Password |
Example request:
curl -X POST http://localhost:8000/api/v1/auth/token/ \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "secret"}'
Response (200) -- no MFA:
Response (200) -- MFA enabled:
Error (401):
GET /api/v1/auth/me/¶
Return the currently authenticated user's profile information.
Authentication: Bearer token required.
Example request:
Response (200):
GET /api/v1/auth/setup-status/¶
Check whether the platform needs initial setup (i.e., no users exist yet).
Authentication: None required.
Example request:
Response (200):
POST /api/v1/auth/setup/¶
Create the first admin user. This endpoint only works when no users exist in the database.
Authentication: None required.
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
username | string | yes | Admin username |
password | string | yes | Admin password |
Example request:
curl -X POST http://localhost:8000/api/v1/auth/setup/ \
-H "Content-Type: application/json" \
-d '{"username": "admin", "password": "mypassword"}'
Response (200):
Error (409):
MFA Endpoints¶
Multi-factor authentication (MFA) uses TOTP (Time-based One-Time Passwords). Users can set up MFA with any TOTP-compatible authenticator app.
POST /api/v1/auth/mfa/setup/¶
Generate a TOTP secret for the current user. Does not enable MFA until verified.
Authentication: Bearer token required.
Response (200):
{
"secret": "JBSWY3DPEHPK3PXP",
"provisioning_uri": "otpauth://totp/Pipelit:admin?secret=JBSWY3DPEHPK3PXP&issuer=Pipelit"
}
Error (400): "MFA is already enabled."
POST /api/v1/auth/mfa/verify/¶
Verify a TOTP code and enable MFA on the account.
Authentication: Bearer token required.
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
code | string | yes | 6-digit TOTP code |
Example request:
curl -X POST http://localhost:8000/api/v1/auth/mfa/verify/ \
-H "Authorization: Bearer <api_key>" \
-H "Content-Type: application/json" \
-d '{"code": "123456"}'
Response (200):
POST /api/v1/auth/mfa/disable/¶
Disable MFA after verifying a TOTP code.
Authentication: Bearer token required.
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
code | string | yes | 6-digit TOTP code |
Response (200):
GET /api/v1/auth/mfa/status/¶
Return current MFA status for the authenticated user.
Authentication: Bearer token required.
Response (200):
POST /api/v1/auth/mfa/login-verify/¶
Complete MFA login. Called after POST /token/ returns requires_mfa: true.
Authentication: None required.
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
username | string | yes | Username |
code | string | yes | 6-digit TOTP code |
Example request:
curl -X POST http://localhost:8000/api/v1/auth/mfa/login-verify/ \
-H "Content-Type: application/json" \
-d '{"username": "admin", "code": "123456"}'
Response (200):
Error (401): "Invalid credentials." or "Invalid TOTP code."
POST /api/v1/auth/mfa/reset/¶
Emergency MFA reset. Only allowed from loopback addresses (127.0.0.1, ::1, localhost).
Authentication: Bearer token required.
Response (200):
Error (403): "MFA reset only allowed from localhost."