# Registration & Login > Server-side registration and login with Aerostack Auth. Email/password accounts, JWT access tokens, and refresh token rotation out of the box. ## Registration Register a new user with email and password. Optionally include a display name and custom fields. ```tsx function RegisterForm() { const { signUp, loading, error } = useAuth() const handleRegister = async () => { const result = await signUp(email, password, { name: 'Jane Doe', customFields: { plan: 'free' }, }) if (result.requiresVerification) { // Show "check your email" message } } } ``` ```ts const client = new AerostackClient({ projectId, apiKey }) const result = await client.auth.register({ email: 'user@example.com', password: 'securepassword', name: 'Jane Doe', }) ``` ```bash POST /v1/public/projects/{slug}/auth/register { "email": "user@example.com", "password": "securepassword", "name": "Jane Doe" } ``` **Response:** ```json { "user": { "id": "...", "email": "user@example.com", "name": "Jane Doe" }, "accessToken": "eyJ...", "refreshToken": "...", "requiresVerification": false } ``` If email verification is enabled in your project settings, `requiresVerification: true` is returned and no token is issued until the user verifies their email. ## Login ```tsx const { signIn, user, loading, error } = useAuth() await signIn('user@example.com', 'password') // user is now populated ``` ```ts const result = await client.auth.login({ email: 'user@example.com', password: 'password', }) // result.accessToken, result.user ``` ```bash POST /v1/public/projects/{slug}/auth/login { "email": "user@example.com", "password": "password" } ``` ## Sign out ```tsx const { signOut } = useAuth() // Invalidates refresh token server-side + clears local state await signOut() ``` ## Token refresh Tokens expire after 15 minutes by default. Use `refreshAccessToken` to silently renew: ```tsx const { refreshAccessToken, tokens } = useAuth() // Called automatically by most SDK methods when a 401 is detected. // You can also call it manually: const newTokens = await refreshAccessToken(tokens.refreshToken) ``` ## Cloudflare Turnstile Pass a Turnstile token to protect register and login from bots: ```tsx await signIn(email, password, turnstileToken) await signUp(email, password, { turnstileToken }) ``` See the [REST API reference](/reference/authentication/login) for the full endpoint spec.