NamoID Docs

Auth API

Most apps integrate NamoID over OIDC and never call these endpoints directly — the hosted login owns sign-in. These endpoints are for first-party session bridging, account security, and profile management around that hosted flow.

All paths are under https://api.namoid.in/v1/auth. Mutating endpoints are rate limited (Redis-backed, fail-closed for OTP sends).

Email verification

MethodPathPurpose
POST/verify-emailSend a verification code to the authenticated caller
POST/resend-verificationResend the authenticated caller's verification code

Sessions

MethodPathPurpose
POST/oidc-sessionMint a first-party console session from a trusted root OIDC login
POST/refreshExchange a refresh token (rotates it)
POST/logoutRevoke the current session
GET/meThe currently logged-in user
GET/sessionsList the user's active sessions
DELETE/sessions/{session_id}Revoke one session
DELETE/sessions/allRevoke all sessions

Passwords

MethodPathPurpose
POST/password-changeChange password (authenticated)
POST/password-setSet an initial password
POST/password-resetSend a password reset link
POST/password-reset/confirmConfirm a password reset token

Phone verification

MethodPathPurpose
POST/phone/send-otpSend a verification code for the caller's own phone
POST/phone/verifyVerify the caller's phone code

Multi-factor authentication

MethodPathPurpose
POST/mfa/setup/totpBegin TOTP enrollment (returns a secret/QR)
POST/mfa/verifyVerify a TOTP/MFA challenge
GET/mfa/statusCurrent MFA enrollment state
POST/mfa/disableDisable MFA
POST/mfa/backup-codes/generate(Re)generate single-use backup codes
POST/mfa/security-questionsSet security questions

See Multi-factor authentication for the model.

Publishable config & token validation

Two endpoints are commonly used with API keys rather than a user session:

  • GET /v1/auth/config — browser-safe environment auth configuration, authenticated with an auth publishable key (X-API-Key) from an allowed origin. This is what @namoidhq/js calls under the hood.
  • POST /v1/auth/tokens/validate — validate a NamoID access token from your backend, authenticated with an auth secret key.

Tip: Use hosted login/OIDC for sign-in. Do not build against removed direct login endpoints such as /register, /login, /email-otp/*, or anonymous /otp/*; those flows now live behind hosted login and the console RTA flow. Password reset remains available as account recovery.