# Authentication API

> Aerostack Authentication REST API reference — registration, login, OTP, magic link, email verification, password reset, and token refresh endpoints.

Aerostack provides a flexible authentication system. All endpoints are under:

```
/v1/public/projects/:projectSlug/auth
```

## Two Sign-in Flows

Your project can support one or both. Configure in **Dashboard → Project → Auth**:

| Flow | Password required? | When to use | API |
|------|-------------------|-------------|-----|
| **Password sign-in** | Yes | Traditional web apps, forms with email + password | [Register](/reference/authentication/register), [Login](/reference/authentication/login) |
| **Passwordless (OTP)** | No | Modern mobile apps, single-screen sign-in (email/phone → OTP → token) | [OTP Send](/reference/authentication/otp-send), [OTP Verify](/reference/authentication/otp-verify) |

**Password sign-in** is always available when auth is enabled. **Passwordless (OTP)** must be enabled in Auth settings — user enters email or phone, receives a code, verifies, and gets a token. No password field.

See [Configuration scenarios](/reference/authentication/configuration-scenarios) for per-method examples, request/response, and UI hints.

## Auth Methods (Passwordless Options)

When **Passwordless (OTP)** is enabled, choose how users identify:

| Method | Description | API |
|--------|-------------|-----|
| **Email OTP only** | User enters email, receives code via email | OTP Send, OTP Verify |
| **Phone OTP only** | User enters phone, receives code via SMS | OTP Send, OTP Verify |
| **Both** | User chooses email or phone | OTP Send, OTP Verify |

Configure **Sign-in method** in Auth settings. Email OTP requires an Email Provider (Resend/SES). Phone OTP requires an SMS provider (MSG91 or Twilio).

## Endpoints

| Endpoint | Description |
|----------|-------------|
| [POST /register](/reference/authentication/register) | Create new users (email + password) |
| [POST /login](/reference/authentication/login) | Authenticate with email and password |
| [POST /otp/send](/reference/authentication/otp-send) | Send OTP to email or phone |
| [POST /otp/verify](/reference/authentication/otp-verify) | Verify OTP and get JWT |
| [GET /me](/reference/authentication/me) | Get current user (requires JWT) |
| [GET /verify-email](/reference/authentication/verify-email) | Verify email with token from email |
| [POST /resend-verification](/reference/authentication/resend-verification) | Resend verification email |
| [POST /reset-password-request](/reference/authentication/reset-password-request) | Request password reset email |
| [POST /reset-password](/reference/authentication/reset-password) | Set new password with reset token |

Each endpoint page includes request/response shapes, error codes, and a **Try it** playground where applicable.
