Auth API

Session, registration, password, and identity endpoints exposed by xcity-home.

These endpoints live at https://www.xcity.one/api/auth/* and are consumed by the website’s own forms plus any sub-product needing to know “who is logged in.” All set or read the xcity_session cookie.

POST /api/auth/register

POST /api/auth/register
Content-Type: application/json

{ "email": "...", "password": "...", "name": "..." }

Creates a GoTrue user, sends a confirmation email, returns { ok: true }. The session is not established until the email is confirmed and the user logs in.

POST /api/auth/login

POST /api/auth/login
Content-Type: application/json

{ "email": "...", "password": "..." }

Sets the xcity_session cookie. Returns { user: { id, email, name, plan } }.

POST /api/auth/signout

Clears the session cookie. Returns { ok: true }.

GET /api/auth/me

Returns the current user (or 401 if unauthenticated). Used by sub-products to confirm identity.

{
  "user": {
    "id": "uuid",
    "email": "you@example.com",
    "name": "...",
    "plan": "pro"
  }
}

POST /api/auth/forgot-password

POST /api/auth/forgot-password
Content-Type: application/json

{ "email": "..." }

Sends a reset email. Always returns { ok: true } — we never disclose whether an address exists.

CORS

Every /api/auth/* endpoint accepts requests from https://*.xcity.one (regex match) and dev origins listed in XCT_CORS_EXTRA_ORIGINS. Pre-flight (OPTIONS) responses are cached for 24h.

See Concepts: Authentication flow for the full sub-product story.

Last updated: May 15, 2026