Authentication Endpoints

Check the health status of the authentication service. This endpoint is used by load balancers, monitoring systems, and orchestration tools to determine if the service is healthy and ready to handle requests.

Response Status:

• 200 OK: Service is healthy and all components are operational

• 503 Service Unavailable: Service is unhealthy (database connection failed)

Use Cases:

• Load balancer health checks

• Kubernetes liveness/readiness probes

• Monitoring system status checks

• CI/CD pipeline health verification

Authenticate user with email/phone and password to obtain access tokens

Authentication Flow:

1. User provides identifier (email/phone) and password

2. System validates credentials

3. Returns JWT access and refresh tokens

4. User can use access token for authenticated requests

Security Features:

• Password hashing and validation

• Account lockout after failed attempts

• JWT token expiration

• Refresh token for token renewal

Token Usage:

• Access Token: Include in Authorization header for API calls

• Refresh Token: Use to get new access token when expired

Prerequisites:

• User account must be verified

• Valid email/phone and password combination

Use Cases:

• Web application user login

• Mobile app authentication

• API access for authenticated users

• E-commerce platform customer login

Initiate passwordless login by sending OTP or verification link

Process:

1. User provides email/phone number

2. System sends OTP or verification link

3. User enters OTP or clicks link

4. System authenticates user and returns tokens

Benefits:

• No password required

• Enhanced security through time-based codes

• Reduced password management overhead

Security:

• Rate limiting prevents abuse

• OTP expiration for security

• One-time use codes

Use Cases:

• Password-free authentication for mobile apps

• Quick login for returning users

• Enhanced security for sensitive applications

• Corporate SSO integration

Complete passwordless login by verifying OTP or link

Process:

1. User provides identifier and verification code

2. System validates OTP/link

3. Authenticates user and returns JWT tokens

4. User can now access protected resources

Security:

• OTP validation with expiration check

• One-time use verification codes

• Rate limiting on verification attempts

Use Cases:

• Completing passwordless login flow

• Two-factor authentication verification

• Temporary access code validation

• Guest user authentication

Authenticate user using Ethereum wallet signature verification

Process:

1. User provides wallet address, message, and signature

2. System verifies signature using Ethereum cryptography

3. Creates or retrieves user account

4. Returns JWT access and refresh tokens

Security Features:

• Cryptographic signature verification

• Nonce-based replay protection

• Wallet address validation

• Automatic user creation for new wallets

Message Format: The message to sign follows this format: Welcome to BlockAuth!

Please sign this message to authenticate with your wallet.

Wallet Address: {wallet_address} Nonce: {nonce} Timestamp: {timestamp}

This signature will be used to authenticate your account.

Prerequisites:

• Valid Ethereum wallet address

• Properly signed message with correct format

• Valid signature that matches the wallet address

Use Cases:

• DeFi application user authentication

• NFT marketplace user access

• Web3 gaming platform login

• Decentralized application (dApp) login

Retrieve the complete profile information for the currently authenticated user. This endpoint requires a valid JWT access token in the Authorization header.

Authentication: Required (Bearer token)

Profile Information:

• Basic user details (ID, email, name)

• Account status (verification, online status)

• Profile data (birth date, bio)

• Authentication methods used

• Account creation and last login timestamps

Use Cases:

• Display user profile in frontend applications

• Verify user authentication status

• Retrieve user preferences and settings

• Check account verification status

Change password for authenticated user.

Process:

1. User provides old password, new password, and confirmation

2. System validates old password and password confirmation

3. Updates to new password

4. Invalidates all existing sessions

Security:

• Requires old password verification

• Password strength validation

• Password confirmation matching

• Session invalidation for security

• Rate limiting on attempts

Authentication Required:

• Valid JWT access token in Authorization header

Use Cases:

• Proactive password security updates

• Regular password rotation compliance

• Account security enhancement

• Password policy enforcement

Initiate password reset process by sending OTP or reset link

Process:

1. User provides email/phone number

2. System validates user exists

3. Sends OTP or reset link

4. User completes reset via separate endpoint

Security:

• Rate limiting prevents abuse

• No indication if user exists (security through obscurity)

• Time-limited reset tokens

Use Cases:

• User forgot password

• Account compromise recovery

• Password expiration notification

• Security policy enforcement

Complete password reset by providing verification code, new password, and confirmation.

Process:

1. User provides identifier, verification code, new password, and confirmation

2. System validates code, password, and confirmation matching

3. Updates user password

4. Invalidates all existing sessions

Security:

• Password strength validation

• Password confirmation matching

• Code expiration check

• Session invalidation for security

Use Cases:

• Completing forgotten password recovery

• Account security restoration

• Compromised account recovery

• Password policy compliance

Create a new user account with email/phone verification (Basic Signup).

Process:

1. User provides email/phone and password

2. System validates input data

3. Creates user account (unverified)

4. Sends OTP or verification link

5. User completes verification via separate endpoint

Verification Methods:

• OTP: Time-based one-time password sent via email/SMS

• Link: Verification link sent via email

Security:

• Password is hashed using Django's secure hashing

• Rate limiting applied to prevent abuse

• Email/phone validation before account creation

Prerequisites:

• Valid email address or phone number

• Strong password (minimum 8 characters)

• Unique identifier (email/phone not already registered)

Use Cases:

• New user registration for web/mobile applications

• Account creation for e-commerce platforms

• User onboarding for SaaS applications

• Community platform member registration

Verify OTP or click verification link to complete user registration

Process:

1. User provides identifier and verification code

2. System validates OTP/link

3. Marks user as verified

4. User can now login to the system

Verification Types:

• OTP: Numeric code sent via email/SMS

• Link: URL-based verification (handled separately)

Security:

• OTP has expiration time

• One-time use only

• Rate limiting on attempts

• CSRF protection for link verification

Use Cases:

• Completing email verification after signup

• Phone number verification for SMS-based auth

• Account activation after registration

• Two-factor authentication setup

Resend OTP or verification link for signup confirmation or wallet email verification.

Use Cases:

• User didn't receive initial verification

• OTP expired and needs renewal

• Wallet user adding email verification

Rate Limiting:

• Prevents abuse and spam

• Configurable wait time between requests

• Different limits for signup vs wallet verification

Security:

• Rate limiting prevents brute force attacks

• Validates identifier format before sending

• Logs all attempts for monitoring

Use Cases:

• User didn't receive initial verification email/SMS

• OTP expired and needs renewal

• Wallet user adding email verification

• Account recovery for unverified users

Get a new access token using a valid refresh token

Process:

1. User provides valid refresh token

2. System validates refresh token

3. Returns new access and refresh tokens

4. Old refresh token becomes invalid

Security:

• Refresh tokens have longer expiration

• Token rotation for enhanced security

• Automatic invalidation of old tokens

Use Cases:

• Access token expired during active session

• Regular token rotation for security

• Session renewal for long-running applications

• Mobile app background token refresh

Add an email address to a wallet-based user account and send verification

Process:

1. User provides email address

2. System validates email format

3. Updates user account with email

4. Sends verification OTP/link to email

5. User completes verification via separate endpoint

Benefits:

• Enhanced account recovery options

• Email notifications and updates

• Additional verification layer

• Better user experience

Security:

• Email format validation

• Rate limiting on requests

• Verification required before email is active

• Authentication required

Authentication Required:

• Valid JWT access token in Authorization header

Use Cases:

• Wallet user account enhancement

• Account recovery setup for wallet users

• Email notification preferences

• Multi-factor authentication setup