Auth Flows
Email + Password
POST /auth/sign_up → User + Profile created
→ JWT access_token (15 min) + refresh_token (30 days)
POST /auth/sign_in → bcrypt password check
→ JWT access_token + refresh_token
POST /auth/refresh → refresh_token → new token pair
Google OAuth (implemented)
Mobile app
│
├─ 1. Google Sign-In SDK → id_token
│
└─ 2. POST /api/v1/auth/oauth/google { id_token }
│
├─ Request to Google tokeninfo for verification
├─ Extract: sub, email, given_name, family_name
│
├─ Look up OAuthIdentity (provider=google, uid=sub)
│ ├─ Found → sign in
│ └─ Not found:
│ ├─ User with that email exists → link
│ └─ No → create User + Profile
│
└─ Issue JWT access_token + refresh_token
201 Created — new user
200 OK — existing user
JWT Structure
Access token payload:
{
"user_id": "uuid",
"type": "access",
"exp": 1234567890
}
Refresh token payload:
{
"user_id": "uuid",
"type": "refresh",
"exp": 1234567890
}
Algorithm: HS256, key from SECRET_KEY_BASE.
Planned
| Method | Status |
|---|---|
| Phone + OTP | Planned |
| Apple Sign-In | Planned |
| Facebook Login | Planned |
| Password Reset | Planned |
| Email Verification | Planned |
Token Errors
| Situation | HTTP | Message |
|---|---|---|
| Token expired | 401 | Token expired |
| Token invalid | 401 | Invalid token |
| Header missing | 401 | Invalid token |