The auth endpoints handle everything related to identity: creating accounts, issuing session cookies, renewing expired tokens, revoking sessions, authenticating through Google OAuth, and retrieving the currently signed-in user’s profile. All auth routes live under theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Abbaddii-99/AI-Startup-Analyzer/llms.txt
Use this file to discover all available pages before exploring further.
/auth prefix. For a detailed explanation of how cookies and CSRF tokens work together, see the Authentication guide.
POST /auth/register
Creates a new user account and immediately issues session cookies. The response body contains the new user’sid and email; the accessToken and refreshToken are delivered as httpOnly cookies — not in the response body.
Rate limits: 5 requests per minute, 20 requests per hour.
Request Body
A valid email address. Maximum 254 characters. Must be unique — attempting to register with an already-registered email returns
409 Conflict.The user’s password. Must be between 10 and 128 characters and contain at least one uppercase letter, one lowercase letter, one digit, and one special character (
!@#$%^&*()_+-=[]{} etc.).Optional display name for the user. Maximum 100 characters.
Response
accessToken (7-day JWT) and refreshToken (30-day opaque token).
Errors
| Status | Condition |
|---|---|
400 Bad Request | Email is not valid, password does not meet requirements, or name exceeds 100 characters |
409 Conflict | An account with this email already exists |
429 Too Many Requests | Rate limit exceeded (5/min or 20/hr) |
POST /auth/login
Authenticates an existing user with email and password, and issues session cookies on success. The server checks the stored bcrypt hash; invalid credentials return401 with no indication of which field was wrong.
Rate limits: 10 requests per minute, 50 requests per hour.
Request Body
The registered email address. Maximum 254 characters.
The account password. Between 1 and 128 characters.
Response
accessToken (7-day JWT) and refreshToken (30-day) as httpOnly cookies.
Errors
| Status | Condition |
|---|---|
401 Unauthorized | Email not found or password is incorrect |
429 Too Many Requests | Rate limit exceeded (10/min or 50/hr) |
POST /auth/refresh
Exchanges a validrefreshToken for a new accessToken and refreshToken pair. The old refresh token is immediately invalidated in the database. Use this endpoint when an accessToken expires (protected endpoints return 401) to restore the session without requiring the user to log in again.
Request Body
The current refresh token string obtained from a previous login, register, or refresh response.
Response
A new signed JWT for the access token cookie.
A new opaque refresh token. Store this and discard the old one — the old token is now invalid.
Errors
| Status | Condition |
|---|---|
401 Unauthorized | Token is invalid, already used, or has expired |
POST /auth/logout
Invalidates the providedrefreshToken in the database, ending the user’s session. If the token provided is already invalid or not found, the endpoint still returns success — logout is idempotent.
Request Body
The refresh token to revoke. After this call the token can no longer be used with
/auth/refresh.Response
Always
"Logged out" on success.The server does not explicitly clear the
accessToken or refreshToken cookies on logout. Browser clients should manually delete the cookies or rely on their natural expiry. The revoked refresh token ensures no new access tokens can be issued for that session.GET /auth/google
Initiates the Google OAuth 2.0 authorization flow by redirecting the browser to Google’s consent screen. This endpoint is intended to be opened directly in a browser tab — it is not an XHR/fetch call. There is no request body. The server redirects the browser using the configuredGOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET environment variables.
Prerequisites
The following environment variables must be set on the backend:| Variable | Description |
|---|---|
GOOGLE_CLIENT_ID | OAuth 2.0 Client ID from Google Cloud Console |
GOOGLE_CLIENT_SECRET | OAuth 2.0 Client Secret from Google Cloud Console |
Usage
/auth/google/callback.
GET /auth/google/callback
The OAuth 2.0 redirect URI that Google calls after the user approves (or denies) consent. This endpoint is handled automatically as part of the OAuth flow — you do not call it directly. On success, the server:- Finds or creates a user record matching the Google account’s email.
- Signs a new JWT
accessTokenand creates a newrefreshToken. - Sets both as httpOnly cookies.
- Redirects the browser to
FRONTEND_URL/auth/callback(defaults tohttp://localhost:3000/auth/callback).
/auth/callback page receives the session cookies automatically and can then call GET /auth/me to retrieve the user’s profile.
The redirect destination is controlled by the
FRONTEND_URL environment variable on the backend. Configure this to your deployed frontend URL in production.GET /auth/me
Returns the currently authenticated user’s profile. Requires a validaccessToken cookie.
Request
No body. The JWT from theaccessToken cookie is read automatically.
Response
Errors
| Status | Condition |
|---|---|
401 Unauthorized | No accessToken cookie present, or the JWT is expired / invalid |