Authentication
API Reference
No authentication required.
Check whether the CMS has been set up. Returns { needsSetup: true } when no users
exist.
// Response
{ "needsSetup": false }No authentication required. Only succeeds when zero users exist.
Create the initial admin account. Blocked once any user exists (returns 403).
| Field | Type | Description |
|---|---|---|
name |
string | Display name |
email |
string | Email address |
password |
string | Minimum 8 characters |
// Response 201
{ "token": "eyJ...", "refreshToken": "eyJ...", "user": { "id": "...", "name": "...", "email": "...", "role": "admin" } }No authentication required.
Authenticate with email and password. Returns access and refresh tokens.
| Field | Type | Description |
|---|---|---|
email |
string | User email |
password |
string | User password |
// Response 200
{ "token": "eyJ...", "refreshToken": "eyJ...", "user": { "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin" } }
// Error 401
{ "error": "Invalid credentials" }
Requires Bearer token.
Return the authenticated user's profile.
// Response 200
{ "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin", "isActive": true }No authentication required. Safe to call without a token.
Blacklists the provided refresh token. The in-memory blacklist is cleared on server restart.
| Field | Type | Description |
|---|---|---|
refreshToken |
string | The refresh token to revoke (optional) |
// Response 200
{ "ok": true }No authentication required. Provide a valid refresh token.
Exchange a refresh token for a new access token.
| Field | Type | Description |
|---|---|---|
refreshToken |
string | A valid, non-revoked refresh token |
// Response 200
{ "token": "eyJ..." }
// Error 401
{ "error": "Invalid or expired refresh token" }