@archastro/sdk
    Preparing search index...

    Class AuthClient

    Index

    Constructors

    Methods

    • List supported auth methods Returns the complete catalogue of authentication methods the platform supports, including each method's stable slug, user-facing name, and description. Use this endpoint to render method labels in sign-in UIs or org settings screens without hardcoding copy or maintaining your own enum list. Results reflect the platform's source-of-truth catalogue and are consistent across all orgs. This endpoint requires only a publishable key and is accessible without an active user session, making it suitable for pre-authentication flows such as login page rendering or onboarding configuration.

      Returns Promise<Record<string, unknown>>

      Successful response

    • Exchange a one-time login token for session tokens Consumes a single-use login token delivered via email and returns an access token, refresh token, and the authenticated user object. One-time tokens are issued by the passwordless login flow and expire after a short window; submitting an expired or already-used token returns HTTP 401. If timezone is provided and the user's current timezone is still the default ("America/Los_Angeles"), the account timezone is updated in the same request. Requests are rate-limited to 10 per IP per minute; exceeding this returns HTTP 429.

      Parameters

      • token: string

        Single-use login token extracted from the magic link or email code flow.

      • Optionaltimezone: string

        IANA timezone name to apply to the account if the account timezone is still the default, e.g. "Europe/London". Omit to leave the timezone unchanged.

      Returns Promise<AuthTokens>

      Access token, refresh token, and the authenticated user object.

    • Authenticate with email and password Authenticates a user with an email address and password and returns a short-lived access token, a refresh token, and the authenticated user object. Use the refresh token with the /auth/refresh endpoint to obtain new access tokens without re-authenticating. Password login must be enabled for the app; apps that have disabled password authentication return HTTP 403. Requests are rate-limited per IP (10 per minute) and per email-IP pair (5 per minute) — exceeding either limit returns HTTP 429.

      Parameters

      • email: string

        Email address of the user to authenticate.

      • password: string

        Password for the account associated with the given email.

      Returns Promise<AuthTokens>

      Access token, refresh token, and authenticated user object.

    • Refresh an access token Exchanges a valid refresh token for a new access token and a new refresh token, rotating the refresh token on every call. The response also includes the updated user object. Store the new refresh token and discard the old one. Refresh tokens are single-use — submitting an already-consumed token returns HTTP 401. Rate limiting is applied per (user, IP) pair when the token can be verified, and falls back to IP-only when it cannot. The limit is 30 exchanges per minute per bucket; exceeding it returns HTTP 429.

      Parameters

      • refreshToken: string

        Refresh token previously issued by a login, registration, or token-refresh response.

      Returns Promise<AuthTokens>

      New access token, new refresh token, and the authenticated user object.

    • Register a new user with email and password Creates a new user account and returns an access token, refresh token, and the new user object. Two registration paths are supported:

      • Team registration: supply team_invite with a valid team invite ID. The new user is added to that team immediately upon registration. Returns HTTP 404 if the invite is not found.
      • Standard registration: supply password. An invite_code may optionally be included for invite-gated apps; an invalid code returns HTTP 404. Exactly one of team_invite or password must be provided; omitting both returns HTTP 400. Password registration must be enabled for the app; disabled apps return HTTP 403. The response status is HTTP 201 on success.

      Parameters

      • email: string

        Email address for the new account.

      • Optionalalias: string

        Display alias (handle) for the new account.

      • OptionalfullName: string

        Full name for the new account.

      • OptionalinviteCode: string

        Invite code for invite-gated registration. Applied only in the standard registration path.

      • Optionalpassword: string

        Password for the new account. Required for standard (non-team-invite) registration.

      • OptionalteamInvite: string

        Team invite ID. When provided, the user is added to the team on registration.

      • Optionaltimezone: string

        IANA timezone name for the new account, e.g. "America/New_York".

      Returns Promise<AuthTokens>

      Access token, refresh token, and the newly created user object.

    • Request a magic link for login Sends a magic link to the given email address so an existing user can sign in without a password. The user clicks the link in their email and is redirected to redirect_uri with a token; pass that token to /auth/verify_link to obtain session tokens. If no account exists for the email, the endpoint still returns success to prevent email enumeration — no link is sent in that case. Both email and redirect_uri are required. Requests are rate-limited per IP (10 per minute) and per email-IP pair (3 per minute) — exceeding either limit returns HTTP 429. Returns HTTP 204 on success.

      Parameters

      • Optionalemail: string

        Email address of the account to send the magic link to.

      • OptionalredirectUri: string

        URL the user is redirected to after clicking the magic link. The token is appended as a query parameter.

      Returns Promise<Record<string, unknown>>

      No content

    • Request a magic link for login or registration Sends a passwordless magic link to the given email address. If an account with that email already exists, a login link is sent. If no account exists, a registration link is sent and the recipient completes sign-up by clicking through. This unified endpoint lets you implement a single email-entry UI that handles both cases transparently. The redirect_uri is validated against the app's registered hosts; an unregistered URI returns HTTP 400. Both email and redirect_uri are required. Requests are rate-limited per IP (10 per minute) and per email-IP pair (3 per minute). Returns HTTP 204 on success — no body.

      Parameters

      • Optionalemail: string

        Email address to send the magic link to.

      • OptionalredirectUri: string

        URL the user is redirected to after clicking the magic link. Must be registered with the app.

      Returns Promise<Record<string, unknown>>

      No content

    • Request a magic link for registration Starts a passwordless registration flow by sending a verification link to the given email address. The recipient clicks the link and is redirected to redirect_uri with a token; pass that token to /auth/verify_link to complete registration and obtain session tokens. Profile fields (full_name, alias, timezone) are captured now and applied when the link is verified. Requests are rate-limited per IP (10 per minute) and per email-IP pair (3 per minute) — exceeding either limit returns HTTP 429. Returns HTTP 204 on success.

      Parameters

      • Optionalalias: string

        Display alias (handle) for the new account.

      • Optionalemail: string

        Email address to send the registration magic link to.

      • OptionalfullName: string

        Full name for the new account.

      • OptionalredirectUri: string

        URL the user is redirected to after clicking the registration link. The token is appended as a query parameter.

      • Optionaltimezone: string

        IANA timezone name for the new account, e.g. "America/New_York".

      Returns Promise<Record<string, unknown>>

      No content

    • Verify a magic link token Consumes a single-use token from a magic link URL and returns an access token, refresh token, and the authenticated user object. This endpoint completes both the login flow (initiated by /auth/request_login_link) and the registration flow (initiated by /auth/request_register_link or /auth/request_link). Extract the token from the token query parameter of the magic link redirect URI and POST it here. Expired or already-used tokens return HTTP 401. If the app has disabled passwordless authentication the request returns HTTP 403. Rate-limited to 10 requests per IP per minute — exceeding this returns HTTP 429.

      Parameters

      • Optionaltoken: string

        Single-use magic link token extracted from the redirect URI query parameter.

      Returns Promise<AuthTokens>

      Access token, refresh token, and the authenticated user object.