The Auth API manages user identity in Quikko. It issues JWT access and refresh tokens on registration and login, and provides endpoints to query account state, update passwords, change plans, and delete accounts. All responses use the standard JSON envelope —Documentation Index
Fetch the complete documentation index at: https://mintlify.com/Andr21Da16/Quikko/llms.txt
Use this file to discover all available pages before exploring further.
{ "success": true, "data": {...}, "error": null } — except empty-success operations where data is null.
The user’s plan (
free or pro) is not embedded in the JWT. It is read from the database on every protected operation, so plan changes take effect immediately without requiring a token refresh.POST /api/v1/auth/register
POST/api/v1/auth/register
Creates a new user account with the Free plan and immediately issues a JWT access/refresh token pair. Rate limited per IP using the AUTH_RATE_LIMIT_PER_MIN environment variable.
Request body
A valid email address. Must be unique — returns
409 AUTH_EMAIL_TAKEN if already registered.Account password. Minimum 8 characters.
Response — 201 Created
Short-lived JWT used in the
Authorization: Bearer header for protected endpoints.Long-lived token used to obtain a new access token via
POST /api/v1/auth/refresh.The newly created user record.
Error codes
| HTTP | Code | When |
|---|---|---|
| 400 | VALIDATION_ERROR | Missing or malformed fields |
| 409 | AUTH_EMAIL_TAKEN | Email already registered |
| 429 | RATE_LIMIT_EXCEEDED | Too many requests from this IP |
POST /api/v1/auth/login
POST/api/v1/auth/login
Authenticates an existing user and returns a fresh token pair. To prevent user enumeration, the server returns the same AUTH_INVALID_CREDENTIALS error whether the email does not exist or the password is wrong. Rate limited per IP separately from registration (LOGIN_RATE_LIMIT_PER_MIN).
Request body
The account’s email address.
The account’s password.
Response — 200 OK
Short-lived JWT for authenticated requests.
Long-lived token for obtaining new access tokens.
The authenticated user.
Error codes
| HTTP | Code | When |
|---|---|---|
| 400 | VALIDATION_ERROR | Missing or malformed fields |
| 401 | AUTH_INVALID_CREDENTIALS | Wrong email or wrong password (indistinguishable) |
| 429 | RATE_LIMIT_EXCEEDED | Too many login attempts from this IP |
POST /api/v1/auth/refresh
POST/api/v1/auth/refresh
Exchanges a valid refresh token for a new access token. Only accessToken is meaningful in the response — refreshToken is omitted (empty string with omitempty) and user is serialized with empty fields. The refresh token itself is not rotated. No rate limit is applied to this endpoint.
Request body
A refresh token obtained from a previous
register or login call.Response — 200 OK
A new short-lived JWT. The refresh token itself is not rotated.
The
refreshToken field is omitted from the response (Go omitempty drops empty strings). The user object is serialized with empty fields — clients should ignore it on this endpoint.Error codes
| HTTP | Code | When |
|---|---|---|
| 400 | VALIDATION_ERROR | Missing refreshToken field |
| 401 | AUTH_TOKEN_EXPIRED | Refresh token has expired — user must log in again |
| 401 | AUTH_TOKEN_INVALID | Token is malformed or tampered |
GET /api/v1/auth/me
GET/api/v1/auth/me
Returns the core profile of the currently authenticated user. Requires a valid Authorization: Bearer header.
Response — 200 OK
MongoDB ObjectID hex string.
The account email address.
Current plan —
"free" or "pro".GET /api/v1/auth/me/summary
GET/api/v1/auth/me/summary
Returns enriched account info including plan limits and aggregate usage stats. Used by the dashboard header and sidebar. Requires a valid Bearer token.
Response — 200 OK
The account email address.
Current plan —
"free" or "pro".ISO 8601 timestamp of account creation.
Number of URLs currently in the
isActive: true state.Maximum active URLs allowed by the current plan.
null for Pro (unlimited).Sum of
totalClicks across all of the user’s URLs (approximate, fire-and-forget counter).PATCH /api/v1/auth/me/plan
PATCH/api/v1/auth/me/plan
Changes the authenticated user’s plan. Returns the updated user object.
This endpoint is available to any authenticated user without payment validation — it is a testing convenience while Quikko does not yet have a payment gateway. In a production billing flow this would be restricted to privileged roles or a Stripe webhook.
Request body
Target plan. Must be
"free" or "pro".Response — 200 OK
MongoDB ObjectID hex string.
The account email.
The newly applied plan —
"free" or "pro".PATCH /api/v1/auth/me/password
PATCH/api/v1/auth/me/password
Changes the authenticated user’s password. The current password must be provided and verified before the update is applied. Returns an empty-success response (data: null).
Request body
The user’s existing password for identity verification.
The replacement password. Minimum 8 characters.
Response — 200 OK
Returns the standard envelope with data: null. No payload is included on success.
Error codes
| HTTP | Code | When |
|---|---|---|
| 400 | VALIDATION_ERROR | Missing fields or newPassword too short |
| 401 | AUTH_INVALID_CREDENTIALS | currentPassword does not match the stored hash |
| 401 | AUTH_TOKEN_INVALID | Bearer token is missing or invalid |
DELETE /api/v1/auth/me
DELETE/api/v1/auth/me
Permanently deletes the authenticated account and all associated data. Requires password confirmation for security.
Cascade behavior: The service iterates every URL owned by the user, purges each short code from the Redis redirect cache, deletes all URLs from MongoDB, and finally removes the user record. Historical click data in InfluxDB is not deleted (out of scope).
Request body
The account’s current password for deletion confirmation.
Response — 200 OK
Returns the standard envelope with data: null.
Error codes
| HTTP | Code | When |
|---|---|---|
| 400 | VALIDATION_ERROR | Missing password field |
| 401 | AUTH_INVALID_CREDENTIALS | Password is incorrect |
| 401 | AUTH_TOKEN_INVALID | Bearer token is missing or invalid |