API Endpoints¶

The COORDINATOR authentication system provides comprehensive REST endpoints under /api/auth/* for managing authentication, authorization, and user data.

Base URL

All endpoints are prefixed with /api/auth/. For example: POST https://auth.getcoordinator.ai/api/auth/sign-up

Authentication Endpoints¶

POST /api/auth/sign-up

Register a new user account with email and password.

POST /api/auth/sign-in

Authenticate a user with email and password, creating a new session.

Sign Out¶

POST /api/auth/sign-out

Terminate the current user session.

Forgot Password¶

POST /api/auth/forget-password

Request a password reset email for account recovery.

Reset Password¶

POST /api/auth/reset-password

Reset password using a token sent via email.

Email Verification Endpoints¶

Verify Email¶

POST /api/auth/verify-email

Verify a user's email address using a verification token.

Resend Verification Email¶

POST /api/auth/resend-verification-email

Send a new verification email to the user.

Two-Factor Authentication (2FA)¶

Enable 2FA¶

POST /api/auth/two-factor/enable

Enable two-factor authentication for the user account.

Verify 2FA Code¶

POST /api/auth/two-factor/verify

Verify a TOTP code during login or setup.

Disable 2FA¶

POST /api/auth/two-factor/disable

Disable two-factor authentication for the user account.

Passkey Endpoints¶

Register Passkey¶

POST /api/auth/passkey/register

Register a new WebAuthn passkey for the user.

Verify Passkey¶

POST /api/auth/passkey/verify

Authenticate using a registered passkey.

Organization Endpoints¶

Create Organization¶

POST /api/auth/organization/create

Create a new organization with the authenticated user as owner.

Request Body:

{
  "name": "Team Name",
  "slug": "team-slug"
}

Update Organization¶

PUT /api/auth/organization/update

Update organization details (name, logo, metadata).

Permission: Organization owner only

Delete Organization¶

DELETE /api/auth/organization/delete

Delete an organization and all associated data.

Permission: Organization owner only

List Organizations¶

GET /api/auth/organization/list

List all organizations the user is a member of.

Get Organization Details¶

GET /api/auth/organization/get

Get detailed information about a specific organization.

Team Endpoints¶

Create Team¶

POST /api/auth/organization/team/create

Create a new team within an organization.

Request Body:

{
  "name": "Team Name",
  "organizationId": "org-id"
}

Permission: Organization owner or admin

Update Team¶

PUT /api/auth/organization/team/update

Update team details (name, etc.).

Permission: Organization owner or admin

Delete Team¶

DELETE /api/auth/organization/team/delete

Delete a team and remove all team members.

Permission: Organization owner or admin

List Teams¶

GET /api/auth/organization/team/list

List all teams within an organization.

Member Management Endpoints¶

Add Member¶

POST /api/auth/organization/member/add

Add an existing user directly to an organization.

Request Body:

{
  "userId": "user-id",
  "organizationId": "org-id",
  "role": "member"
}

Permission: Organization owner only

Remove Member¶

DELETE /api/auth/organization/member/remove

Remove a user from an organization.

Permission: Organization owner only (cannot remove yourself)

Update Member Role¶

PUT /api/auth/organization/member/update-role

Change a member's role within the organization.

Request Body:

{
  "memberId": "member-id",
  "role": "admin"
}

Permission: Organization owner only

Team Member Endpoints¶

Add Team Member¶

POST /api/auth/organization/team/member/add

Add a user to a team within an organization.

Request Body:

{
  "userId": "user-id",
  "teamId": "team-id"
}

Permission: Organization owner or admin

Remove Team Member¶

DELETE /api/auth/organization/team/member/remove

Remove a user from a team.

Permission: Organization owner or admin

Invitation Endpoints¶

Create Invitation¶

POST /api/auth/organization/invitation/create

Send an email invitation to join an organization.

Request Body:

{
  "email": "[email protected]",
  "organizationId": "org-id",
  "role": "member"
}

Permission: Organization owner or admin Rate Limit: 50 invitations per organization per 24 hours

Accept Invitation¶

POST /api/auth/organization/invitation/accept

Accept a pending organization invitation.

Request Body:

{
  "invitationId": "inv-id"
}

Reject Invitation¶

POST /api/auth/organization/invitation/reject

Reject a pending organization invitation.

Cancel Invitation¶

DELETE /api/auth/organization/invitation/cancel

Cancel a pending invitation before it's accepted.

Permission: Organization owner or admin only

Session Endpoints¶

Get Session¶

GET /api/auth/session

Get the current user's session information including active organization and team.

Response:

{
  "user": {
    "id": "user-id",
    "name": "User Name",
    "email": "[email protected]"
  },
  "session": {
    "activeOrganizationId": "org-id",
    "activeTeamId": "team-id"
  }
}

Switch Organization¶

PUT /api/auth/session/switch-organization

Change the active organization for the current session.

Request Body:

{
  "organizationId": "org-id"
}

Switch Team¶

PUT /api/auth/session/switch-team

Change the active team for the current session.

Request Body:

{
  "teamId": "team-id"
}

Error Handling¶

Error Response Format

All errors return a JSON object with error and message fields.

Common Error Responses¶

Organization Errors¶

"Organization name must be between 2 and 100 characters."
"Invalid slug format. Use only lowercase letters, numbers, and hyphens."
"Slug "{slug}" is already taken."
"Organization name "{name}" is already taken."
"Insufficient permissions. Only organization owners can update organization settings."

Team Errors¶

"Team name must be between 2 and 100 characters."
"You must be an organization member to create teams."
"Insufficient permissions. Only organization owners can create teams."
"Team name "{name}" is already taken in this organization."

Member Errors¶

"Invalid email address."
"This user is already a member of the organization."
"Insufficient permissions. Only organization owners can add members directly."
"Cannot remove the last owner from the organization."
"You cannot remove yourself from the organization."

Invitation Errors¶

"Invalid invitation role: {role}. Allowed roles: owner, admin, member"
"Invitation rate limit exceeded. Please try again later."
"Insufficient permissions. Only organization owners and admins can send invitations."
"An invitation has already been sent to this email address."
"Invitation has expired"

Authentication Headers¶

All authenticated requests require a valid session token provided via:

Cookie: session_token (automatically handled by browsers)
Authorization Header: Bearer <token> (for API clients)

CORS Configuration¶

The API supports CORS requests from: - http://localhost:3000 - https://dev-app.getcoordinator.ai - https://app.getcoordinator.ai - https://auth.getcoordinator.ai - https://dev.getcoordinator.ai

Allowed Methods: POST, GET, PUT, DELETE, OPTIONS

Credentials: Enabled for cross-origin requests

API Endpoints¶

Authentication Endpoints¶

Sign Up¶

Sign In¶

Sign Out¶

Forgot Password¶

Reset Password¶

Email Verification Endpoints¶

Verify Email¶

Resend Verification Email¶

Two-Factor Authentication (2FA)¶

Enable 2FA¶

Verify 2FA Code¶

Disable 2FA¶

Passkey Endpoints¶

Register Passkey¶

Verify Passkey¶

Organization Endpoints¶

Create Organization¶

Update Organization¶

Delete Organization¶

List Organizations¶

Get Organization Details¶

Team Endpoints¶

Create Team¶

Update Team¶

Delete Team¶

List Teams¶

Member Management Endpoints¶

Add Member¶

Remove Member¶

Update Member Role¶

Team Member Endpoints¶

Add Team Member¶

Remove Team Member¶

Invitation Endpoints¶

Create Invitation¶

Accept Invitation¶

Reject Invitation¶

Cancel Invitation¶

Session Endpoints¶

Get Session¶

Switch Organization¶

Switch Team¶

Error Handling¶

Common Error Responses¶

Organization Errors¶

Team Errors¶

Member Errors¶

Invitation Errors¶

Authentication Headers¶

CORS Configuration¶