type: collection.insomnia.rest/5.0 schema_version: "5.1" name: AuthFlow Consumer Auth Routes Collection (2026-04-02) meta: id: wrk_authflow_auth_consumers_20260402 created: 1775097601000 modified: 1775097601000 description: Consumer-facing collection for all /auth and /auth/2fa routes, including response-shape contracts. collection: - name: Session Endpoints (/auth) meta: id: fld_consumer_auth_session created: 1775097601000 modified: 1775097601000 sortKey: -1000 description: Session and account lifecycle endpoints under /auth. children: - url: "{{ _.base_url }}/auth/fooBar" name: 1) Get FooBar Token meta: id: req_consumer_auth_foobar created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { token: string } - 400: missing identity/api_key - 401: invalid api_key or token-signing failure sortKey: -1000 method: GET parameters: - name: identity value: "{{ _.email }}" - name: api_key value: "{{ _.api_key }}" - name: role value: "{{ _.role }}" scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.token) { insomnia.environment.set('foobar_token', data.token); } } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/signUp" name: 2) Sign Up User meta: id: req_consumer_auth_signup created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON (success): { token: string } - 200 JSON (existing account): { statusCode: 409, message: string } - 400: missing fields or password complexity failure - 401: foobar identity/org/role mismatch, invalid api_key, or token verification failure sortKey: -999 method: GET parameters: - name: foobar value: "{{ _.foobar_token }}" - name: email value: "{{ _.email }}" - name: password value: "{{ _.password }}" - name: fullname value: "{{ _.fullname }}" - name: role value: "{{ _.role }}" - name: api_key value: "{{ _.api_key }}" - name: disclaimed value: "true" scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.token) { insomnia.environment.set('session_token', data.token); } } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/login" name: 5) Login User meta: id: req_consumer_auth_login created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON (normal): { token: string, email_verify: boolean } - 200 JSON (2FA challenge): { requires2FA: true, tempToken: string, email: string, org_id: string, role: string } - 400: missing fields - 401: invalid credentials/api_key/foobar mismatch - 404: user not found sortKey: -996 method: GET parameters: - name: foobar value: "{{ _.foobar_token }}" - name: email value: "{{ _.email }}" - name: password value: "{{ _.password }}" - name: api_key value: "{{ _.api_key }}" - name: role value: "{{ _.role }}" scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.tempToken) { insomnia.environment.set('temp_token', data.tempToken); } if (data.token) { insomnia.environment.set('session_token', data.token); } } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/validate" name: 6) Validate Session meta: id: req_consumer_auth_validate created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200: empty success response - 400: missing email/sessionToken - 401: invalid token, email mismatch, or user missing sortKey: -995 method: GET parameters: - name: sessionToken value: "{{ _.session_token }}" - name: email value: "{{ _.email }}" scripts: afterResponse: |- console.log('Validate session status: ' + insomnia.response.code); settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/me" name: 7) Get Current User meta: id: req_consumer_auth_me created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { email, fullname, role, org_id, email_verify } - 400: missing sessionToken - 401: invalid/expired session - 404: user not found sortKey: -994 method: GET parameters: - name: sessionToken value: "{{ _.session_token }}" scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.org_id) { insomnia.environment.set('org_id', data.org_id); } if (data.role) { insomnia.environment.set('role', data.role); } } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/logout" name: 9) Logout User meta: id: req_consumer_auth_logout created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { success: true } - 400: missing fields - 401: token mismatch/invalid token sortKey: -992 method: GET parameters: - name: sessionToken value: "{{ _.session_token }}" - name: email value: "{{ _.email }}" scripts: afterResponse: |- if (insomnia.response.status === "OK") { insomnia.environment.set('session_token', ''); } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - name: Password Management Endpoints (/auth) meta: id: fld_consumer_auth_password created: 1775097601000 modified: 1775097601000 sortKey: -990 description: Password reset and password change endpoints under /auth. children: - url: "{{ _.base_url }}/auth/forgot-password" name: 5a) Request Password Reset meta: id: req_consumer_auth_forgot_password created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { success: true, message: string } - 400: missing email/api_key - 500: server error Notes: - For privacy, successful response is generic even when account is not found. sortKey: -995.9 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "email": "{{ _.email }}", "api_key": "{{ _.api_key }}", "role": "{{ _.role }}" } scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); console.log('Auth forgot-password message: ' + data.message); } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/reset-password" name: 5b) Reset Password With Token meta: id: req_consumer_auth_reset_password created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { success: true } - 400: missing token/newPassword or password policy failure - 401 JSON: { message: string } invalid/expired token - 404: user not found sortKey: -995.8 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "token": "{{ _.auth_reset_password_token }}", "newPassword": "{{ _.new_password }}" } scripts: afterResponse: |- if (insomnia.response.status === "OK") { insomnia.environment.set('password', insomnia.environment.get('new_password')); } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/changePassword" name: 8) Change Password meta: id: req_consumer_auth_change_password created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200: empty success response - 400: missing fields or invalid new password format - 401: token/email mismatch or wrong old password - 404: user not found - 500: update/hash failure sortKey: -993 method: GET parameters: - name: sessionToken value: "{{ _.session_token }}" - name: email value: "{{ _.email }}" - name: oldPassword value: "{{ _.password }}" - name: newPassword value: "{{ _.new_password }}" scripts: afterResponse: |- if (insomnia.response.status === "OK") { insomnia.environment.set('password', insomnia.environment.get('new_password')); } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - name: Email Verification Endpoints (/auth) meta: id: fld_consumer_auth_email_verification created: 1775097601000 modified: 1775097601000 sortKey: -980 description: Email verification lifecycle endpoints under /auth. children: - url: "{{ _.base_url }}/auth/resend-verify-email" name: 3) Resend Verification Email meta: id: req_consumer_auth_resend_verify created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { statusCode: 200, message: string } - 400: missing required fields - 401: token/api_key mismatch - 404: user not found - 500: server error sortKey: -998 method: GET parameters: - name: foobar value: "{{ _.foobar_token }}" - name: email value: "{{ _.email }}" - name: api_key value: "{{ _.api_key }}" - name: role value: "{{ _.role }}" scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.statusCode === 200) { console.log('Verification email flow acknowledged: ' + data.message); } } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/verify-email" name: 4) Verify Email (from link) meta: id: req_consumer_auth_verify_email created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 text/html: verification success page - 400 text/html: missing token page - 401 text/html: invalid/expired token page - 404 text/html: org/user not found page sortKey: -997 method: GET parameters: - name: token value: "{{ _.auth_verify_email_token }}" scripts: afterResponse: |- console.log('Verify email status: ' + insomnia.response.code); settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - name: Two-Factor Endpoints (/auth/2fa) meta: id: fld_consumer_auth_2fa created: 1775097601000 modified: 1775097601000 sortKey: -900 description: Challenge and enrollment routes under /auth/2fa. children: - url: "{{ _.base_url }}/auth/2fa/enable" name: 10) Enable 2FA (Generate Secret + QR) meta: id: req_consumer_2fa_enable created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { secret, qrCode, otpauth_url } - 400: missing fields - 401: invalid/expired session - 500: server error sortKey: -900 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "sessionToken": "{{ _.session_token }}", "email": "{{ _.email }}", "org_id": "{{ _.org_id }}", "role": "{{ _.role }}" } scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.secret) insomnia.environment.set('totp_secret', data.secret); if (data.otpauth_url) insomnia.environment.set('otpauth_url', data.otpauth_url); } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/2fa/verify-setup" name: 11) Verify 2FA Setup meta: id: req_consumer_2fa_verify_setup created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { success: true, recoveryCodes: string[] } - 400 JSON: { error: string } for missing fields or invalid TOTP code - 401 JSON: { error: string } invalid session - 500: server error sortKey: -899 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "sessionToken": "{{ _.session_token }}", "email": "{{ _.email }}", "org_id": "{{ _.org_id }}", "role": "{{ _.role }}", "totpCode": "{{ _.totp_code }}", "secret": "{{ _.totp_secret }}" } scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.recoveryCodes && data.recoveryCodes.length) { insomnia.environment.set('recovery_code', data.recoveryCodes[0]); } } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/2fa/disable" name: 12) Disable 2FA meta: id: req_consumer_2fa_disable created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { success: true } - 400/401 JSON: { error: string } - 404: user not found - 500: server error sortKey: -898 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "sessionToken": "{{ _.session_token }}", "email": "{{ _.email }}", "org_id": "{{ _.org_id }}", "role": "{{ _.role }}", "password": "{{ _.password }}" } scripts: afterResponse: |- if (insomnia.response.status === "OK") { insomnia.environment.set('totp_secret', ''); insomnia.environment.set('otpauth_url', ''); } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/2fa/verify-2fa" name: 13) Verify TOTP Challenge meta: id: req_consumer_2fa_verify_2fa created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { token: string } - 400/401 JSON: { error: string } - 404: user not found - 500: server error sortKey: -897 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "tempToken": "{{ _.temp_token }}", "email": "{{ _.email }}", "org_id": "{{ _.org_id }}", "role": "{{ _.role }}", "totpCode": "{{ _.totp_code }}" } scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.token) insomnia.environment.set('session_token', data.token); } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/2fa/backup/email" name: 14) Send Email OTP Backup meta: id: req_consumer_2fa_backup_email created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { success: true, message: string } - 400/401 JSON: { error: string } - 404: user not found - 500: server error sortKey: -896 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "tempToken": "{{ _.temp_token }}", "email": "{{ _.email }}", "org_id": "{{ _.org_id }}", "role": "{{ _.role }}" } scripts: afterResponse: |- console.log('Backup email OTP status: ' + insomnia.response.code); settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/2fa/verify-email-otp" name: 15) Verify Email OTP Backup meta: id: req_consumer_2fa_verify_email_otp created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { token: string } - 400 JSON: { error: "Missing required fields" | "Invalid code" | "Code expired" } - 404: user not found - 500: server error sortKey: -895 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "email": "{{ _.email }}", "org_id": "{{ _.org_id }}", "role": "{{ _.role }}", "emailOTP": "{{ _.email_otp }}" } scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.token) insomnia.environment.set('session_token', data.token); } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/2fa/recovery-codes" name: 16) Regenerate Recovery Codes meta: id: req_consumer_2fa_recovery_codes created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { recoveryCodes: string[] } - 400/401 JSON: { error: string } - 404: user not found - 500: server error sortKey: -894 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "sessionToken": "{{ _.session_token }}", "email": "{{ _.email }}", "org_id": "{{ _.org_id }}", "role": "{{ _.role }}", "password": "{{ _.password }}" } scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.recoveryCodes && data.recoveryCodes.length) { insomnia.environment.set('recovery_code', data.recoveryCodes[0]); } } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true - url: "{{ _.base_url }}/auth/2fa/verify-recovery" name: 17) Verify Recovery Code meta: id: req_consumer_2fa_verify_recovery created: 1775097601000 modified: 1775097601000 isPrivate: false description: | Response Contract: - 200 JSON: { token: string, remainingCodes: number } - 400 JSON: { error: "Missing required fields" | "Invalid recovery code" } - 404: user not found - 500: server error sortKey: -893 method: POST headers: - name: Content-Type value: application/json body: mimeType: application/json text: |- { "email": "{{ _.email }}", "org_id": "{{ _.org_id }}", "role": "{{ _.role }}", "recoveryCode": "{{ _.recovery_code }}" } scripts: afterResponse: |- if (insomnia.response.status === "OK") { var data = JSON.parse(insomnia.response.body); if (data.token) insomnia.environment.set('session_token', data.token); } settings: renderRequestBody: true encodeUrl: true followRedirects: global cookies: send: true store: true rebuildPath: true cookieJar: name: Default Jar meta: id: jar_authflow_auth_consumers_20260402 created: 1775097601000 modified: 1775097601000 environments: name: AuthFlow Consumer /auth Environment meta: id: env_authflow_auth_consumers_20260402 created: 1775097601000 modified: 1775097601000 isPrivate: false data: base_url: https://api.authflow.net api_key: af_your_api_key org_id: your-org-id role: detective email: user@app.yourcompany.com fullname: User Example password: TestPass123! new_password: NewPass123! foobar_token: paste token from /auth/fooBar session_token: paste token from /auth/login or 2FA verify temp_token: paste tempToken from /auth/login when requires2FA=true totp_secret: paste base32 secret from /auth/2fa/enable otpauth_url: paste otpauth URL from /auth/2fa/enable totp_code: "123456" email_otp: "123456" recovery_code: ABCD1234 auth_verify_email_token: paste token copied from verification email link auth_reset_password_token: paste token copied from password-reset email link