Auth API
Most apps integrate NamoID over OIDC and never call these endpoints directly — the hosted login owns sign-in. These endpoints are for first-party session bridging, account security, and profile management around that hosted flow.
All paths are under https://api.namoid.in/v1/auth. Mutating endpoints are rate
limited (Redis-backed, fail-closed for OTP sends).
Email verification
| Method | Path | Purpose |
|---|---|---|
| POST | /verify-email | Send a verification code to the authenticated caller |
| POST | /resend-verification | Resend the authenticated caller's verification code |
Sessions
| Method | Path | Purpose |
|---|---|---|
| POST | /oidc-session | Mint a first-party console session from a trusted root OIDC login |
| POST | /refresh | Exchange a refresh token (rotates it) |
| POST | /logout | Revoke the current session |
| GET | /me | The currently logged-in user |
| GET | /sessions | List the user's active sessions |
| DELETE | /sessions/{session_id} | Revoke one session |
| DELETE | /sessions/all | Revoke all sessions |
Passwords
| Method | Path | Purpose |
|---|---|---|
| POST | /password-change | Change password (authenticated) |
| POST | /password-set | Set an initial password |
| POST | /password-reset | Send a password reset link |
| POST | /password-reset/confirm | Confirm a password reset token |
Phone verification
| Method | Path | Purpose |
|---|---|---|
| POST | /phone/send-otp | Send a verification code for the caller's own phone |
| POST | /phone/verify | Verify the caller's phone code |
Multi-factor authentication
| Method | Path | Purpose |
|---|---|---|
| POST | /mfa/setup/totp | Begin TOTP enrollment (returns a secret/QR) |
| POST | /mfa/verify | Verify a TOTP/MFA challenge |
| GET | /mfa/status | Current MFA enrollment state |
| POST | /mfa/disable | Disable MFA |
| POST | /mfa/backup-codes/generate | (Re)generate single-use backup codes |
| POST | /mfa/security-questions | Set security questions |
See Multi-factor authentication for the model.
Publishable config & token validation
Two endpoints are commonly used with API keys rather than a user session:
GET /v1/auth/config— browser-safe environment auth configuration, authenticated with an auth publishable key (X-API-Key) from an allowed origin. This is what@namoidhq/jscalls under the hood.POST /v1/auth/tokens/validate— validate a NamoID access token from your backend, authenticated with an auth secret key.
Tip: Use hosted login/OIDC for sign-in. Do not build against removed direct login endpoints such as
/register,/login,/email-otp/*, or anonymous/otp/*; those flows now live behind hosted login and the console RTA flow. Password reset remains available as account recovery.