Authentication API
API endpoints for authentication and session management.
Get Sessionโ
Get current session information.
GET /api/auth/session
Response:
{
"user": {
"userId": "user_123",
"email": "user@example.com",
"organizations": [...]
}
}
Magic Link Authenticationโ
Send Magic Linkโ
Send a passwordless magic link email.
POST /api/auth/magic-link/send
Content-Type: application/json
{
"email": "user@example.com"
}
Response:
{
"success": true,
"message": "Magic link sent to email"
}
Verify Magic Linkโ
Verify magic link token and establish session.
POST /api/auth/magic-link/verify
Content-Type: application/json
{
"token": "magic_link_token"
}
Response:
{
"success": true,
"user": {
"userId": "user_123",
"email": "user@example.com"
}
}
OAuth Authenticationโ
Initiate OAuth Flowโ
Start OAuth authentication with a provider (Google, GitHub).
GET /api/auth/oauth/[provider]
Supported Providers:
google- Google OAuthgithub- GitHub OAuth
Response: Redirects to provider's authorization page
OAuth Callbackโ
OAuth callback handler (called by provider).
GET /api/auth/oauth/callback/[provider]?code=...&state=...
Response: Redirects to application with session established
Passkey Authenticationโ
Get Registration Optionsโ
Get passkey registration options for the user.
POST /api/auth/passkey/register-options
Content-Type: application/json
{
"userId": "user_123"
}
Response:
{
"challenge": "...",
"rp": {
"name": "NetPad",
"id": "netpad.io"
},
"user": {
"id": "...",
"name": "user@example.com",
"displayName": "User Name"
},
"pubKeyCredParams": [...]
}
Complete Registrationโ
Complete passkey registration.
POST /api/auth/passkey/register
Content-Type: application/json
{
"credential": {...}
}
Get Login Optionsโ
Get passkey login options.
POST /api/auth/passkey/login-options
Content-Type: application/json
{
"email": "user@example.com"
}
Complete Loginโ
Complete passkey login.
POST /api/auth/passkey/login
Content-Type: application/json
{
"credential": {...}
}
API Keys (Future Feature)โ
API key authentication for server-to-server integrations is planned for a future release.
Authentication Methodsโ
NetPad supports multiple authentication methods:
- Magic Links: Passwordless email authentication
- Passkeys: WebAuthn/FIDO2 biometric authentication
- OAuth: Google, GitHub, and other providers
See Platform Authentication for user-facing authentication documentation.
Security Best Practicesโ
- Use HTTPS: Always use secure connections
- Secure Cookies: Sessions use HTTP-only, secure cookies
- Token Expiration: Magic link tokens expire after use
- CSRF Protection: OAuth flows include state validation
Rate Limitingโ
Authentication endpoints have specific rate limits:
| Endpoint | Limit |
|---|---|
/api/auth/magic-link/send | 5 requests/hour per email |
/api/auth/magic-link/verify | 10 requests/hour per IP |
/api/auth/passkey/login-options | 20 requests/hour per IP |
Rate limit information is included in response headers:
X-RateLimit-Limit: 5
X-RateLimit-Remaining: 3
X-RateLimit-Reset: 1640995200