Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.scrubbe.com/llms.txt

Use this file to discover all available pages before exploring further.

The Scrubbe authentication API lives under /api/v1/auth and covers the full identity lifecycle: registering a new account, verifying an email address, logging in to receive tokens, refreshing those tokens, and managing your profile. Public endpoints require no credentials; protected endpoints require a valid Bearer token in the Authorization header.

Public endpoints

These endpoints do not require authentication.

POST /auth/login

Authenticate with email and password. Returns a short-lived access token and a long-lived refresh token.
email
string
required
The registered email address.
password
string
required
The account password.
curl --request POST \
  --url "https://your-api-domain.com/api/v1/auth/login" \
  --header "Content-Type: application/json" \
  --data '{
    "email": "user@example.com",
    "password": "s3cur3P@ssword"
  }'
200 response 
{
  "success": true,
  "message": "Login successful.",
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
    "refreshToken": "dGhpcyBpcyBhIHJlZnJlc2ggdG9rZW4...",
    "user": {
      "id": "usr_01HX...",
      "email": "user@example.com",
      "firstName": "Ada",
      "lastName": "Lovelace",
      "role": "ENGINEER"
    }
  }
}
data.accessToken
string
JWT to include in the Authorization: Bearer header for protected requests. Short-lived.
data.refreshToken
string
Long-lived token used to obtain a new access token via POST /auth/refresh-token.
data.user
object
Basic profile information for the authenticated user.

POST /auth/business/register

Register a new business account and workspace.
businessName
string
required
Name of the organization.
email
string
required
Owner’s email address.
password
string
required
Account password (minimum 8 characters).

POST /auth/dev/register

Register a new developer account.
email
string
required
Developer email address.
password
string
required
Account password.

POST /auth/oauth/login

Authenticate or register via an OAuth provider (e.g., Google). Redirects to the provider’s consent screen.
provider
string
required
OAuth provider name. Example: "google".

POST /auth/verify_email

Verify an email address using the OTP sent after registration.
email
string
required
The email address to verify.
otp
string
required
The one-time passcode delivered to the email address.

POST /auth/resend_otp

Resend the email verification OTP. Subject to the email rate limit (3 requests per minute).
email
string
required
The email address to resend the OTP to.
This endpoint is rate-limited to 3 requests per minute per email address. Repeated calls within the window return 429 Too Many Requests.

POST /auth/forgot-password

Initiate the password reset flow. Sends a reset link or token to the specified email.
email
string
required
The email address associated with the account.

POST /auth/validate-reset-token

Validate that a password reset token is still active before presenting the reset form.
token
string
required
The reset token received via email.

POST /auth/reset-password

Set a new password using a valid reset token.
token
string
required
The reset token from the email.
password
string
required
The new password (minimum 8 characters).

POST /auth/refresh-token

Exchange a refresh token for a new access token. Does not require the Authorization header.
refreshToken
string
required
A valid, unexpired refresh token.
{
  "success": true,
  "message": "Token refreshed.",
  "data": {
    "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }
}

Protected endpoints

These endpoints require Authorization: Bearer <accessToken>.

POST /auth/logout

Invalidate the current session. The access token is revoked server-side. No request body required. 
{
  "success": true,
  "message": "Logged out successfully.",
  "data": {}
}

POST /auth/change-password

Change the authenticated user’s password.
currentPassword
string
required
The user’s current password.
newPassword
string
required
The new password (minimum 8 characters, must differ from the current password).

GET /auth/me

Retrieve the profile of the currently authenticated user. 
{
  "success": true,
  "message": "Profile retrieved.",
  "data": {
    "id": "usr_01HX...",
    "email": "user@example.com",
    "firstName": "Ada",
    "lastName": "Lovelace",
    "role": "ENGINEER",
    "businessId": "biz_01HX...",
    "createdAt": "2025-01-15T10:30:00Z"
  }
}

PUT /auth/profile

Update the authenticated user’s profile information.
firstName
string
Updated first name.
lastName
string
Updated last name.
phone
string
Contact phone number.
Email address cannot be changed through this endpoint. Contact support to update your login email.