Email & Password
The default authentication method. Users register with email and password, then log in with the same credentials.
Registration
POST /api/auth/register{
"name": "John Doe",
"email": "john@example.com",
"password": "SecurePass123!",
"password_confirmation": "SecurePass123!"
}Returns a Sanctum token. The user receives a verification email (if email verification is enabled).
- Password must meet Laravel's default password rules
- Email must be unique
- In personal tenant mode, a workspace is auto-created
- Triggers
Registeredevent (sends verification email, welcome notification)
Login
POST /api/auth/login{
"email": "john@example.com",
"password": "SecurePass123!"
}Account Lockout
After 5 failed attempts, the account is locked for 15 minutes. The failed_login_attempts and locked_until fields on the User model track this.
MFA Challenge
If MFA is enabled for the user, the login response returns a short-lived mfa_token instead of a full session token. The client must call POST /api/auth/mfa/verify with the 6-digit TOTP code.
Password Reset
POST /api/auth/forgot-password # sends reset link
POST /api/auth/reset-password # resets with tokenUses Laravel's signed URL mechanism. Links expire after 60 minutes. Rate-limited to 5 requests per minute.
Email Verification
GET /api/auth/verify-email/{id}/{hash} # verify (signed URL)
POST /api/auth/verify-email/resend # resend verificationAdmin Toggle
Password login can be disabled from the admin panel without code changes:
- Setting:
auth.password_login→enabledordisabled - When disabled, users can still use magic link, OAuth, or SSO