Skip to content
Select themeSelect language

POST /api/auth/magic/consume — consume a sign-in link token submitted by the user's own browser via the /auth/magic/confirm interstitial page. Accepts `{"token": "…"}` in the request body. Returns the same JSON shape as password login (200 with session + CSRF cookies, or `{"totp_required":true}` for armed 2FA) so the confirm page can use the same session-adoption path.

POST
/api/auth/magic/consume
curl --request POST \
--url https://example.com/api/auth/magic/consume \
--header 'Content-Type: application/json' \
--data '{ "token": "example" }'

Returns 401 JSON on an invalid/expired/used token so the confirm page can route back to /auth/magic?error=1. Approval is enforced downstream.

Media typeapplication/json
object
token
required
string
Examplegenerated
{
"token": "example"
}

Session issued from a valid magic-link token

Media typeapplication/json
object
csrf_token
required
string
expires_in
required
integer format: int64
user
required
object
email
string | null
id
required
string format: uuid
Examplegenerated
{
"csrf_token": "example",
"expires_in": 1,
"user": {
"email": "example",
"id": "2489E9AD-2EE2-8E00-8EC9-32D5F69181C0"
}
}

Invalid or expired magic-link token

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}

Structured server error

Media typeapplication/json

The canonical JSON body of every error response — the single source of truth the frontend binds to. Every AppError serializes as this exact shape, and the generated OpenAPI component ApiErrorBody (with its ErrorCode enum) is what the frontend error schema is generated from, so there is no hand-written error schema on either end.

object
code
required

Machine-readable, stable error code.

string
Allowed values: not_found unauthorized forbidden bad_request unprocessable precondition_failed conflict method_not_allowed rate_limited quota_exceeded database_error docker_error vault_error internal_error
details
One of:
null
error
required

Human-readable message (the server’s English text; the client may localize by code).

string
Example
{
"code": "not_found"
}