API Endpoints Reference

Base URL in local development: http://localhost:3000
Global prefix: /api

All profile endpoints require a valid session cookie. The exception is confirm-change, which accepts anonymous requests.

For flow details, see Authentication.

General

`GET /api`

Returns a hello message. Use this to verify the API is reachable.

Auth: anonymous
Response: { "message": "Hello API" }

Auth Endpoints

`ALL /api/auth/{*path}`

Forwards every request to Better Auth (toNodeHandler(authConfig)).

Auth: varies by Better Auth route
Sign-up required fields: name, nickname, email, password

info

Direct account mutation paths (/update-user, /change-password, /change-email) are blocked. Use the profile endpoints below.

Profile Endpoints

`POST /api/profile/request-profile-change`

Sends a confirmation email. On confirmation, the API updates name and nickname.

Auth: required
Request body:

{
  "name": "New Name",
  "nickname": "new-nickname",
  "callbackURL": "http://localhost:4200/auth/confirm-account-change"
}

Response: { "status": true }

`POST /api/profile/request-email-change`

Starts a two-step email change. The API sends a confirmation to the old address first.

Auth: required
Request body:

{
  "newEmail": "new@example.com",
  "callbackURL": "http://localhost:4200/auth/confirm-account-change"
}

Response: { "status": true }

`POST /api/profile/request-password-change`

Verifies the current password. The API stores the new hash and sends a confirmation email.

Auth: required
Minimum password length: 8 characters
Request body:

{
  "currentPassword": "current-password",
  "newPassword": "new-password-min-8",
  "callbackURL": "http://localhost:4200/auth/confirm-account-change"
}

Response: { "status": true }

`POST /api/profile/confirm-change`

Applies a pending change using the token from the confirmation email.

Auth: anonymous
Request body:

{
  "token": "hex-token-from-email"
}

Response:

{
  "status": true,
  "type": "profile | email | password",
  "step": "completed | new-email-verification-sent",
  "requiresLogin": false,
  "user": {
    "id": "uuid",
    "email": "user@example.com",
    "name": "Display Name",
    "nickname": "unique-nick",
    "emailVerified": true
  }
}

Password Confirmation

When type is "password", the API revokes all sessions. requiresLogin is true and user is null. The frontend must redirect the user to the login page.

General​

GET /api​

Auth Endpoints​

ALL /api/auth/{*path}​

Profile Endpoints​

POST /api/profile/request-profile-change​

POST /api/profile/request-email-change​

POST /api/profile/request-password-change​

POST /api/profile/confirm-change​