VideoHub uses a dual-token authentication system: a short-lived access token for authorizing requests and a long-lived refresh token for obtaining new access tokens without re-entering credentials. Both tokens are issued asDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/barcode8/VideoHub/llms.txt
Use this file to discover all available pages before exploring further.
HttpOnly cookies on login and are also returned in the response body for clients that cannot read cookies directly.
Endpoints on this page
| Method | Path | Auth Required |
|---|---|---|
POST | /api/v1/users/register | No |
POST | /api/v1/users/login | No |
POST | /api/v1/users/logout | Yes |
POST | /api/v1/users/refresh-token | No |
Register a new account
POST /api/v1/users/register
Creates a new VideoHub user account. Send fields as a JSON body. Passwords are hashed with bcrypt before storage and are never returned in any response.
Usernames are stored in lowercase and must be unique across the platform. The same uniqueness constraint applies to email addresses.
Request parameters
Unique handle for the account. Stored in lowercase. Used to identify the user’s public channel at
/api/v1/users/c/:username.Valid email address. Must be unique across all accounts.
Plain-text password. Hashed with bcrypt (10 salt rounds) before being persisted — never stored in plain text.
Display name shown on the channel profile. If omitted, it defaults to the value of
username.Response fields
Returns HTTP 201 with a user object.password and refreshToken are always stripped from the response.
Always
200 inside the response envelope (the HTTP status is 201).The newly created user document.
Human-readable confirmation string, e.g.
"User registered successfully".Error responses
| Status | Condition |
|---|---|
400 | One or more of username, email, or password is missing or blank. |
409 | An account with the same username or email already exists. |
500 | An internal error occurred after the document was created (rare). |
Example
Log in
POST /api/v1/users/login
Authenticates a user with either their email or username plus their password. On success, both an accessToken and a refreshToken are issued as HttpOnly cookies (httpOnly: true, secure: false, sameSite: "Lax") and are also included in the JSON response body for non-browser clients.
You can supply either
email or username — at least one is required. If both are provided, the server matches against either field.Request parameters
The email address used at registration. Either
email or username must be provided.The account’s username. Either
email or username must be provided.The account password in plain text. Compared against the stored bcrypt hash.
Response fields
Returns HTTP 200.The authenticated user object with
password and refreshToken omitted.Short-lived JWT. Include this in the
Authorization: Bearer <token> header for protected endpoints. Also set as the accessToken HttpOnly cookie.Long-lived JWT. Use this to obtain a new access token via
/api/v1/users/refresh-token. Also set as the refreshToken HttpOnly cookie."User logged in successfully"Error responses
| Status | Condition |
|---|---|
400 | Neither username nor email was provided. |
400 | No account found with the given username or email. |
401 | Password does not match the stored hash. |
Example
Log out
POST /api/v1/users/logout
Terminates the current session. The server clears both accessToken and refreshToken cookies and sets the stored refreshToken field to undefined in the database, preventing the old refresh token from being reused.
Request parameters
No request body is required. The user identity is derived from the JWT in theAuthorization header or the accessToken cookie.
Response fields
An empty object
{} — no user data is returned on logout."User logged out successfully"Example
Refresh an access token
POST /api/v1/users/refresh-token
Issues a fresh accessToken (and rotates the refreshToken) without requiring the user to log in again. The endpoint accepts the refresh token from the refreshToken cookie or from the request body.
Request parameters
The refresh token string. Required if the
refreshToken cookie is not present (e.g., in native mobile clients or server-to-server calls).Response fields
Returns HTTP 200. New tokens are set asHttpOnly cookies (accessToken, refreshToken) and also returned in the response body.
The newly generated short-lived access token.
The newly generated refresh token. Store this and use it for the next refresh call.
"Access token refreshed successfully"Error responses
| Status | Condition |
|---|---|
401 | No refresh token found in cookies or request body. |
401 | The token is malformed, expired, or does not match the one stored in the database. |