Authentication API

Complete authentication endpoints covering OAuth, password, MFA, magic links, passkeys, device authorization, and session management.

Authentication API

The Authentication API provides comprehensive endpoints for all authentication methods supported by AuthOS.

Authentication Methods

Method Use Case Documentation
OAuth 2.0 Social login (GitHub, Google, Microsoft) OAuth
Password Email/password registration and login Password
MFA Second-factor verification during login MFA
Magic Link Passwordless email authentication Magic Link
Passkeys WebAuthn/FIDO2 passwordless Passkeys
Device Flow CLI and headless device auth (RFC 8628) Device Flow
Sessions Logout and token refresh Sessions
HRD Home Realm Discovery for SSO HRD

Flow Selection Guide

graph TD
    A[User wants to authenticate] --> B{Has account?}
    B -->|No| C[Register with OAuth or Password]
    B -->|Yes| D{Preferred method?}
    D -->|Social| E[OAuth Flow]
    D -->|Password| F[Password Login]
    D -->|Passwordless| G{Device type?}
    G -->|Browser| H[Magic Link or Passkey]
    G -->|CLI/Headless| I[Device Flow]
    F --> J{MFA enabled?}
    J -->|Yes| K[MFA Verification]
    J -->|No| L[Session Created]
    K --> L
    E --> L
    H --> L
    I --> L

Security Considerations

  • All authentication endpoints use HTTPS
  • Rate limiting protects against brute-force attacks
  • Email enumeration protection on password reset and registration
  • Session tokens use secure, httpOnly cookies where applicable
  • MFA backup codes are single-use and securely hashed

Pages