Skip to main content

Session Management

POST /api/auth/logout

Invalidates the current session token. 
curl -X POST https://auth.panguard.ai/api/auth/logout \
  -H "Authorization: Bearer YOUR_TOKEN"

{
  "ok": true,
  "data": {
    "message": "Logged out successfully"
  }
}

GET /api/auth/me

Returns the authenticated user’s profile, subscription tier, and account details. 
curl -X GET https://auth.panguard.ai/api/auth/me \
  -H "Authorization: Bearer YOUR_TOKEN"

{
  "ok": true,
  "data": {
    "id": "usr_a1b2c3d4e5f6",
    "email": "user@example.com",
    "name": "Alice Chen",
    "tier": "pro",
    "totpEnabled": true,
    "machineLimit": 10,
    "trialEndsAt": null,
    "createdAt": "2026-01-15T08:30:00.000Z",
    "updatedAt": "2026-03-01T14:22:00.000Z"
  }
}

Password Reset

POST /api/auth/forgot-password

Sends a password reset email to the specified address. Always returns 200 regardless of whether the email exists (prevents enumeration).
email
string
required
The email address associated with the account.
curl -X POST https://auth.panguard.ai/api/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{ "email": "user@example.com" }'

{
  "ok": true,
  "data": {
    "message": "If an account with that email exists, a reset link has been sent."
  }
}

POST /api/auth/reset-password

Resets the password using a token from the reset email.
token
string
required
The password reset token from the email link.
newPassword
string
required
The new password. Must be 8—128 characters.
curl -X POST https://auth.panguard.ai/api/auth/reset-password \
  -H "Content-Type: application/json" \
  -d '{
    "token": "rst_x9y8z7w6v5u4",
    "newPassword": "newSecureP@ss"
  }'

{
  "ok": true,
  "data": {
    "message": "Password reset successfully"
  }
}
Password reset tokens expire after 1 hour. All existing sessions are invalidated when a password is reset.

TOTP Two-Factor Authentication

POST /api/auth/totp/setup

Generates a TOTP secret and QR code URI for setting up an authenticator app. 
curl -X POST https://auth.panguard.ai/api/auth/totp/setup \
  -H "Authorization: Bearer YOUR_TOKEN"

{
  "ok": true,
  "data": {
    "secret": "JBSWY3DPEHPK3PXP",
    "otpauthUrl": "otpauth://totp/Panguard:user@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Panguard",
    "backupCodes": [
      "a1b2c3d4e5",
      "f6g7h8i9j0",
      "k1l2m3n4o5",
      "p6q7r8s9t0",
      "u1v2w3x4y5"
    ]
  }
}
Store the backupCodes in a secure location. They are single-use and cannot be retrieved after this initial response. Each backup code can be used once in place of a TOTP code during login.

POST /api/auth/totp/verify

Verifies a TOTP code to complete 2FA setup. Must be called after /totp/setup to activate 2FA.
totpCode
string
required
Six-digit code from the authenticator app to confirm setup.
curl -X POST https://auth.panguard.ai/api/auth/totp/verify \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "totpCode": "482917" }'

{
  "ok": true,
  "data": {
    "message": "Two-factor authentication enabled successfully"
  }
}

POST /api/auth/totp/disable

Disables TOTP two-factor authentication. Requires current password for security.
password
string
required
Current account password for confirmation.
curl -X POST https://auth.panguard.ai/api/auth/totp/disable \
  -H "Authorization: Bearer YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "password": "secureP@ssw0rd" }'

{
  "ok": true,
  "data": {
    "message": "Two-factor authentication disabled"
  }
}
Disabling 2FA invalidates all existing backup codes. If you re-enable 2FA later, a new set of backup codes will be generated.