AuthFlow

Quick Setup Guide

Get started withemail/password authentication

Add secure email/password login to your app in minutes, using JWT token authentication provided by our platform. Follow our simple setup guide and you'll be up and authenticating users in no time.

Three simple steps to secure email/password authentication

Follow these steps to integrate AuthFlow's email/password authentication endpoints into your backend applications.

Create Your Account

Sign up for AuthFlow and create your first project. You'll get your server-side API key instantly for secure email/password authentication.

Organization NameAcme, Inc.

API Keyaf_1234567890abcdef

Integrate Auth Endpoints

Use our /auth endpoints from your backend to handle user authentication. All endpoints require your organization's API key for secure email/password login.

API Key Required

All /auth endpoints require your organization's API key in JWT tokens for secure email/password authentication

Backend Integration

Call from your server-side code, never expose API keys to frontend

Session Management

Handle user sessions with JWT tokens containing org API key for reliable email/password authentication

API Integration Overview

// 1. Get temporary token

GET /auth/fooBar?identity=user@email.com

// 2. User signup with API key

GET /auth/signUp?foobar=...&api_key=af_...&email=...

// 3. User login (returns session token)

GET /auth/login?foobar=...&email=...&password=...&org_id=...

// 4. Validate session

GET /auth/validate?sessionToken=...&email=...

Add Authentication

Wrap your app with your provider and start using authentication components. It's that simple with reliable email/password authentication!

App.jsx

import axios from 'axios'

function

App

() {

return

(

)

}

/auth API Endpoints Technical Guide for Email/Password Authentication

Complete technical documentation for integrating AuthFlow's email/password authentication endpoints into your backend applications.

API Key Configuration

Your organization's API key is embedded in all JWT tokens for /auth endpoints. Store this securely in your backend environment variables for reliable email/password authentication.

# Environment Variables

AUTHFLOW_API_KEY=af_your_api_key_here

AUTHFLOW_BASE_URL=https://api.authflow.net

Security Note: Security Note: Never expose your API key in frontend code or client-side JavaScript. All /auth endpoint calls must be made from your backend server for secure email/password authentication.

GET /auth/fooBar

Generate temporary anti-abuse tokens for authentication flows

Parameters:

identity (string): User's email address

Response:

{
"token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9..."
}

Node.js Example:

const response = await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/fooBar?identity=user@example.com');
const foobarToken = response.data.token;

GET /auth/signUp

Create new user accounts within your organization

Parameters:

foobar (string): Token from /auth/fooBar
api_key (string): Your organization's API key
email (string): User's email address
password (string): User's password (8-32 chars, uppercase, lowercase, number, special char)
fullname (string): User's full name
disclaimed (string): Must be "true"

Response:

{
"statusCode": 200,
"message": "User profile created successfully."
}

Node.js Example:

const signupData = {
  foobar: foobarToken,
  api_key: process.env.AUTHFLOW_API_KEY,
  email: 'user@example.com',
  password: 'SecurePass123!',
  fullname: 'John Doe',
  disclaimed: 'true'
};
const response = await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/signUp', { params: signupData });

GET /auth/login

Authenticate users and receive session tokens

Parameters:

foobar (string): Token from /auth/fooBar
email (string): User's email address
password (string): User's password
org_id (string): Your organization's UUID

Response:

{
"token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9..."
}

The returned JWT contains: email, org_id, and your api_key

Node.js Example:

const loginData = {
  foobar: foobarToken,
  email: 'user@example.com',
  password: 'SecurePass123!',
  org_id: 'your-org-uuid'
};
const response = await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/login', { params: loginData });
const sessionToken = response.data.token; // Store securely for user session

GET /auth/validate

Validate user session tokens and check authentication status

Parameters:

sessionToken (string): JWT from /auth/login
email (string): User's email address

Response:

HTTP 200 (valid session) or HTTP 401 (invalid session)

Node.js Example:

try {
  await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/validate', {
    params: { sessionToken, email: 'user@example.com' }
  });
  // Session is valid
} catch (error) {
  if (error.response?.status === 401) {
    // Session invalid, redirect to login
  }
}

GET /auth/changePassword

Allow authenticated users to change their passwords

Parameters:

sessionToken (string): JWT from /auth/login
email (string): User's email address
newPassword (string): New password (same complexity requirements)

Response:

HTTP 200 (password changed successfully)

Node.js Example:

const changeData = {
  sessionToken,
  email: 'user@example.com',
  newPassword: 'NewSecurePass456!'
};
await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/changePassword', { params: changeData });

GET /auth/logout

End user sessions securely

Parameters:

sessionToken (string): JWT from /auth/login
email (string): User's email address

Response:

HTTP 200 (logout successful)

Node.js Example:

await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/logout', {
params: { sessionToken, email: 'user@example.com' }
});
// Clear session from your app's storage

Complete Backend Integration Example

// authService.js - Backend Authentication Service

const axios = require('axios');

class AuthFlowService {

constructor() {

this.baseURL = process.env.AUTHFLOW_BASE_URL;

this.apiKey = process.env.AUTHFLOW_API_KEY;

this.orgId = process.env.AUTHFLOW_ORG_ID;

}

async getFoobarToken(email) {

const response = await axios.get(this.baseURL + '/auth/fooBar', {

params: { identity: email }

});

return response.data.token;

}

async signUp(userData) {

const foobarToken = await this.getFoobarToken(userData.email);

const params = {

...userData,

foobar: foobarToken,

api_key: this.apiKey

};

return axios.get(this.baseURL + '/auth/signUp', { params });

}

async login(email, password) {

const foobarToken = await this.getFoobarToken(email);

const params = {

foobar: foobarToken,

email,

password,

org_id: this.orgId

};

const response = await axios.get(this.baseURL + '/auth/login', { params });

return response.data.token; // JWT with embedded API key

}

async validateSession(sessionToken, email) {

try {

await axios.get(this.baseURL + '/auth/validate', {

params: { sessionToken, email }

});

return true;

} catch (error) {

return false;

}

async logout(sessionToken, email) {

return axios.get(this.baseURL + '/auth/logout', {

params: { sessionToken, email }

});

}

module.exports = AuthFlowService;

Implementation Notes:

• Store session tokens securely (HTTP-only cookies recommended)
• Validate sessions on protected routes before processing requests
• Handle token expiration and refresh as needed
• Log authentication events for security monitoring

Error Handling & Security

Common HTTP Status Codes:

200: Success
400: Bad Request (missing/invalid parameters)
401: Unauthorized (invalid tokens, wrong API key, etc.)
404: User not found
409: Organization already exists (signup)
500: Server error

Security Best Practices:

• Always validate JWT tokens before processing requests
• Use HTTPS for all API calls
• Implement rate limiting on authentication endpoints
• Store session tokens in HTTP-only, secure cookies
• Log all authentication attempts for security monitoring
• Never log sensitive data like passwords or API keys

Critical: All /auth endpoints must be called from your backend server only. Never expose your API key or make these calls from client-side JavaScript, as this would compromise your organization's security.

What you get outta-the-box with email/password authentication

Wire the endpoints, we provide you the Sessions with reliable JWT tokens. It's that simple! 🤝

Ready to add reliable email/password authentication?

Start your free trial today, have JWT authentication running by end of day.