search

Authentication

hashtag
Whatsapp Login

post

Authenticate users with WhatsApp.

Authorizations
X-Tenant-IDstringRequired
Body

WhatsApp authentication request.

whatsapp_idstringRequired
profile_nameany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json

Login Response model.

post
/auth/whatsapp/login

hashtag
Whatsapp Register

post

Register new users with WhatsApp.

Authorizations
X-Tenant-IDstringRequired
Body

WhatsApp register request.

whatsapp_idstringRequired
emailstringRequired
profile_nameany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json

Phone and email verification response model.

Attributes: challenge_id: Unique identifier for the verification challenge expires_at: Timestamp when the verification code expires user_detail: User details including username and display name cooldown: Cooldown period in seconds before next resend is allowed

challenge_idstringRequired

Unique challenge ID for verification

expires_atstring · date-timeRequired

When the verification code expires

cooldownintegerRequired

Cooldown period in seconds

post
/auth/whatsapp/register

hashtag
Whatsapp Login V2

post

Authenticate users with WhatsApp.

Authorizations
X-Tenant-IDstringRequired
Body

WhatsApp authentication request.

whatsapp_idstringRequired
profile_nameany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json

Admin User model.

idstringRequired
usernamestringRequired
auth_idany ofOptional
stringOptional
or
nullOptional
display_nameany ofOptional
stringOptional
or
nullOptional
bosa_secretany ofOptional
stringOptional
or
nullOptional
pictureany ofOptional
stringOptional
or
nullOptional
emailany ofOptional
stringOptional
or
nullOptional
phone_numberany ofOptional
stringOptional
or
nullOptional
is_verifiedbooleanOptionalDefault: false
use_memorybooleanOptionalDefault: false
use_personalizationbooleanOptionalDefault: false
is_activebooleanOptionalDefault: true
user_domainany ofOptional
or
nullOptional
account_typeany ofOptional
string · enumOptional

Account type.

Possible values:
or
nullOptional
post
/auth/whatsapp/v2/login

hashtag
Initiate Mobile OAuth Login

get

Initiates the mobile OAuth authentication flow by redirecting to StackAuth.

**Security Requirements:**
- Requires valid mobile API key in X-API-Key header
- Rate limited to prevent abuse

**Flow:**
1. Validates API key and parameters
2. Generates secure state parameter with CSRF protection
3. Constructs StackAuth OAuth URL
4. Redirects user to StackAuth for authentication

**After OAuth:**
User will be redirected to `/auth/mobile/callback` which handles token exchange
and redirects back to the mobile app with an exchange code.
Authorizations
X-Tenant-IDstringRequired
Query parameters
providerstringRequired

OAuth provider (google, apple, discord, etc.)

Example: google
redirect_uristringRequired

Mobile app deep link URI for final redirect

Example: myapp://auth-callback
Responses
chevron-right
200

Successful Response

application/json
Other propertiesstringOptional
get
/auth/mobile/login

hashtag
Handle OAuth Callback

get

Handles the OAuth callback from StackAuth and redirects to mobile app.

**Flow:**
1. Receives authorization code and state from StackAuth
2. Validates state parameter for CSRF protection
3. Exchanges authorization code for access token
4. Stores tokens temporarily in Redis with exchange code
5. Returns HTML page that redirects to mobile app with exchange code

**Security:**
- State parameter validation prevents CSRF attacks
- Exchange codes expire in 60 seconds
- One-time use codes prevent replay attacks

**Note:** This endpoint does not require API key as it's called by StackAuth.
Query parameters
codeany ofOptional

OAuth authorization code from StackAuth

stringOptional
or
nullOptional
stateany ofOptional

CSRF state parameter

stringOptional
or
nullOptional
errorany ofOptional

OAuth error if authentication failed

stringOptional
or
nullOptional
Responses
chevron-right
200

HTML page with mobile app redirect

text/html
stringOptional
get
/auth/mobile/callback

hashtag
Exchange Code for Tokens

post

Exchanges the exchange code for final authentication tokens and user data.

**Security Requirements:**
- Requires valid mobile API key in X-API-Key header
- Rate limited to prevent abuse
- Exchange codes are one-time use and expire in 60 seconds

**Flow:**
1. Validates API key and exchange code
2. Retrieves stored authentication data from Redis
3. Processes post-login flow (user creation, role assignment)
4. Returns complete authentication response

**Response includes:**
- StackAuth access and refresh tokens
- Complete user profile with roles and permissions
- Tenant information
Authorizations
X-Tenant-IDstringRequired
Body

Mobile token exchange request model.

exchange_codestring · min: 1 · max: 64Required

Exchange code received from OAuth callback

Responses
chevron-right
200

Complete authentication response

application/json

Mobile authentication response model.

access_tokenstringRequired

StackAuth access token for API calls

refresh_tokenstringRequired

StackAuth refresh token for token renewal

expires_inintegerRequired

Token expiration time in seconds

token_typestringOptional

Token type (always Bearer for StackAuth)

Default: Bearer
post
/auth/mobile/exchange

hashtag
Get Me

get

Get current authenticated user

Authorizations
OAuth2passwordRequired
Token URL:
cookie
__Secure-next-auth.session-tokenany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json

Current authenticated user model.

idany ofOptional
stringOptional
or
nullOptional
usernameany ofOptional
stringOptional
or
nullOptional
emailany ofOptional
stringOptional
or
nullOptional
display_nameany ofOptional
stringOptional
or
nullOptional
rolesstring[]Optional
permissionsstring[]Optional
providerany ofOptional

Authentication provider type

stringOptional
or
nullOptional
pictureany ofOptional
stringOptional
or
nullOptional
phone_numberany ofOptional
stringOptional
or
nullOptional
is_verifiedbooleanOptionalDefault: false
selected_tenantany ofOptional
or
nullOptional
is_guestbooleanOptionalDefault: false
is_sdkbooleanOptionalDefault: false
is_whatsappbooleanOptionalDefault: false
get
/auth/me

hashtag
Direct API login

post

Direct API login.

Body

Direct API authentication request.

usernamestringRequired
passwordstringRequired
Responses
chevron-right
200

Successful Response

application/json

Token model.

access_tokenstringRequired
token_typestringOptional

Token type

Default: bearer
post
/auth/direct-api-login

hashtag
Post auth login

post

Mandatory post-auth login endpoint to complete user registration in backend database.

This endpoint MUST be called after completing the OAuth/credential login flow with StackAuth to properly
store basic user data in the backend database and establish the link between StackAuth and
the backend user systems. This creates the necessary mapping for the application to function.

OAuth Flow Sequence:
    1. Frontend initiates OAuth flow: {stackauth_url}/api/v1/auth/oauth/authorize/{provider}
    2. User completes OAuth authentication with the provider (Google, GitHub, etc.)
    3. StackAuth processes the OAuth callback and creates/updates user in StackAuth DB
    4. **THIS ENDPOINT** must be called to:
       - Store basic user data in the backend database
       - Create the mapping between StackAuth user ID and backend user ID
       - Return the user profile for the frontend session

Credential Flow Sequence:
    1. Frontend initiates credential login flow: {stackauth_url}/api/v1/auth/password/sign-in
    2. StackAuth processes the credential login
    3. **THIS ENDPOINT** must be called to:
       - Fetch the user data from database based on the StackAuth user ID
       - Return the user profile for the frontend session

Why This Is Mandatory:
    - StackAuth DB and Backend DB are separate systems
    - Backend needs to store the StackAuth ID link for user identification
    - RBAC (roles/permissions) remain in StackAuth and are checked there
    - Required for proper user session management in the application
Authorizations
OAuth2passwordRequired
Token URL:
Path parameters
typestring · enumRequired

Post auth login type

Possible values:
Responses
chevron-right
200

Successful Response

application/json

Current authenticated user model.

idany ofOptional
stringOptional
or
nullOptional
usernameany ofOptional
stringOptional
or
nullOptional
emailany ofOptional
stringOptional
or
nullOptional
display_nameany ofOptional
stringOptional
or
nullOptional
rolesstring[]Optional
permissionsstring[]Optional
providerany ofOptional

Authentication provider type

stringOptional
or
nullOptional
pictureany ofOptional
stringOptional
or
nullOptional
phone_numberany ofOptional
stringOptional
or
nullOptional
is_verifiedbooleanOptionalDefault: false
selected_tenantany ofOptional
or
nullOptional
is_guestbooleanOptionalDefault: false
is_sdkbooleanOptionalDefault: false
is_whatsappbooleanOptionalDefault: false
post
/auth/{type}/post-login

hashtag
Initialize Stack Auth

get

Initialize Stack Auth

Authorizations
OAuth2passwordRequired
Token URL:
cookie
__Secure-next-auth.session-tokenany ofOptional
stringOptional
or
nullOptional
Responses
chevron-right
200

Successful Response

application/json
Other propertiesany ofOptional
booleanOptional
or
integerOptional
get
/auth/initialize

hashtag
Logout user

post

Logout user

Authorizations
OAuth2passwordRequired
Token URL:
Responses
chevron-right
200

Successfully logged out.

application/json
Other propertiesstringOptional
post
/auth/logout

hashtag
Resolve username

post

Resolve username

Authorizations
OAuth2passwordRequired
Token URL:
cookie
__Secure-next-auth.session-tokenany ofOptional
stringOptional
or
nullOptional
Body

Resolve username request.

identifierstringRequired
Responses
chevron-right
200

Successful Response

application/json
Other propertiesstringOptional
post
/auth/resolve-username
PreviousAPI Authentication FlowNextConversation

Last updated