POST /api/auth/magic/consume — consume a sign-in link token submitted by the user's own browser via the /auth/magic/confirm interstitial page. Accepts `{"token": "…"}` in the request body. Returns the same JSON shape as password login (200 with session + CSRF cookies, or `{"totp_required":true}` for armed 2FA) so the confirm page can use the same session-adoption path.
const url = 'https://example.com/api/auth/magic/consume';const options = { method: 'POST', headers: {'Content-Type': 'application/json'}, body: '{"token":"example"}'};
try { const response = await fetch(url, options); const data = await response.json(); console.log(data);} catch (error) { console.error(error);}curl --request POST \ --url https://example.com/api/auth/magic/consume \ --header 'Content-Type: application/json' \ --data '{ "token": "example" }'Returns 401 JSON on an invalid/expired/used token so the confirm page can route back to /auth/magic?error=1. Approval is enforced downstream.
Request Bodyrequired
Section titled “Request Bodyrequired”object
Examplegenerated
{ "token": "example"}Responses
Section titled “Responses”Session issued from a valid magic-link token
object
object
Examplegenerated
{ "csrf_token": "example", "expires_in": 1, "user": { "email": "example", "id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0" }}Invalid or expired magic-link token
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}Structured server error
The canonical JSON body of every error response — the single source of truth
the frontend binds to. Every AppError serializes as this exact shape, and
the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is
what the frontend error schema is generated from, so there is no hand-written
error schema on either end.
object
Machine-readable, stable error code.
Present only on a quota-exceeded 403 — the inline upgrade-CTA payload.
object
The entitlement feature key that was hit, e.g. apps.max_count.
The plan’s limit for this key.
Where to send the user to upgrade.
Current usage (count or bytes, per the key).
Human-readable message (the server’s English text; the client may localize
by code).
Example
{ "code": "not_found"}