Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Antonelli-Tech-Solutions/spades/llms.txt

Use this file to discover all available pages before exploring further.

Registration creates a new player account identified by email address, display username, and password. The account is inactive immediately after registration — the player must click the verification link sent to their email before they can log in. Once verified, the account is permanently active and the token is consumed.

POST /api/auth/register

Creates a new player account and sends a verification email containing a single-use activation link.
MethodPOST
Path/api/auth/register
Auth requiredNone

Request body

email
string
required
The player’s email address. Must be a valid email format. Stored normalized to lowercase.
username
string
required
The display name shown to other players in the lobby and at the table. Stored with original casing; must be unique across all accounts.
password
string
required
The account password. Minimum 8 characters. Stored as a bcrypt hash — the plaintext is never persisted.

Example request

curl -X POST http://localhost:3000/api/auth/register \
  -H 'Content-Type: application/json' \
  -d '{"email": "alice@example.com", "username": "alice", "password": "hunter2abc"}'

Response codes

StatusMeaning
201Registration successful. Verification email sent.
400Missing or invalid fields (e.g. password fewer than 8 characters, missing email).
409Email address or username is already registered to another account.

201 response body

message
string
A human-readable confirmation that registration succeeded and a verification email has been sent.
playerId
string
The UUID assigned to the newly created player account.
{
  "message": "Registration successful. Please check your email to verify your account.",
  "playerId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

GET /api/auth/verify-email

Activates a player account by validating the token from the verification email. Tokens are single-use and expire 24 hours after registration.
MethodGET
Path/api/auth/verify-email
Auth requiredNone

Query parameters

token
string
required
The UUID verification token included in the registration email link. Tokens expire after 24 hours and are deleted after first use.

Response codes

StatusMeaning
200Email verified. The account is now active and the player can log in.
400Token is missing, invalid, already used, or has expired.

Local development

If you do not have an SMTP server configured locally, set DEV_AUTO_VERIFY=true when starting the server. With this flag, POST /api/auth/register marks the account as verified immediately — no email is sent and no token is required. The player can log in straight away. Never set DEV_AUTO_VERIFY in production — the server ignores it when NODE_ENV=production.
DEV_AUTO_VERIFY=true npm start

POST /api/auth/resend-verification

Sends a fresh verification email to an unverified account. Any previously issued token is deleted before a new one is generated.
MethodPOST
Path/api/auth/resend-verification
Auth requiredNone

Request body

email
string
required
The email address of the unverified account.

Example request

curl -X POST http://localhost:3000/api/auth/resend-verification \
  -H 'Content-Type: application/json' \
  -d '{"email": "alice@example.com"}'

Response codes

StatusMeaning
200Request accepted. If the email is registered and unverified, a new verification link has been sent.
This endpoint always returns 200, even when the supplied email address is not found in the database or the account is already verified. This behaviour is intentional — it prevents account enumeration by making it impossible for an unauthenticated caller to determine whether a given email address is registered.

Build docs developers (and LLMs) love

Get started for freeTalk to us