Logotipo Hedhog

Get Hedhog updates in your inbox

New releases, fresh recipes, and breaking changes — no spam.

Back to Core modulesWired in CoreModule
auth module screenshot

Core Submodule

auth

Handles authentication, session tokens, MFA and password recovery.

Source path: libraries/core/src/auth

Module file: auth.module.ts

Introduction

The Auth submodule manages every phase of the user identity lifecycle: credential exchange, session token issuance, multi-factor authentication challenges, password recovery, and session termination. It is the entry point for all user-facing authentication and the guardian of every protected resource in the platform.

Login returns a short-lived JWT access token used in the Authorization: Bearer header for protected endpoints, and optionally a long-lived refresh token. The refresh token can be exchanged for a new access/refresh pair without re-authentication, enabling seamless session continuity across browser sessions and mobile apps. Logout invalidates the refresh token server-side, ensuring the session ends even if the access token has not yet expired naturally.

HedHog supports three MFA channels. TOTP works with any standards-compliant authenticator app (Google Authenticator, Authy, 1Password). Email OTP sends a six-digit code to the user's verified email address. WebAuthn uses the Web Authentication API to leverage hardware security keys, Face ID, Touch ID, or Windows Hello. When MFA is enabled, the standard login flow responds with a pending mfaToken instead of a full session — the client must submit the correct code through the matching verification endpoint to receive the final access token. Recovery codes provide a backup when the primary MFA device is unavailable.

The forgot-password flow is two-step: a time-limited, single-use code is sent to the registered email (POST /auth/forgot), and that code is then submitted alongside the new password (POST /auth/forgot-reset). The WebAuthn assertion ceremony follows the same two-step model — generate options, then verify the signed response from the authenticator.

Self-registration via POST /auth/signup is available for open-registration platforms. For invite-only or admin-provisioned deployments, this endpoint can be locked down through route-level permissions without changing code.

HTTP Endpoints

15 endpoints

Verify that the current access token is valid and return the authenticated user.

Return the list of roles available to the authenticated user.

Authenticate with email and password; returns access and refresh tokens.

Body

FieldTypeRequiredNotes
emailstringyesValid email address
passwordstringyesStrong password
refreshTokenbooleannoRequest a refresh token in response

Exchange a refresh token for a new access/refresh token pair.

Body

FieldTypeRequiredNotes
refreshTokenstringyesValid refresh token

Register a new user account.

Body

FieldTypeRequiredNotes
namestringyes
emailstringyesValid email address
passwordstringyesStrong password

Invalidate the given refresh token, ending the session.

Body

FieldTypeRequiredNotes
refreshTokenstringyes

Initiate the password reset flow by sending a reset code to the user's email.

Body

FieldTypeRequiredNotes
emailstringyesValid email address

Complete the password reset using the code received by email.

Body

FieldTypeRequiredNotes
codestringyesReset code received by email
passwordstringyesMin 8 chars

Verify an email-based login code during multi-factor authentication.

Body

FieldTypeRequiredNotes
tokenstringyesPending login token
codestringyesPin code from email

Resend the email verification code for a pending login.

Body

FieldTypeRequiredNotes
tokenstringyesPending login token

Verify a one-time MFA code (TOTP or email) to complete login.

Body

FieldTypeRequiredNotes
tokenstringyesJWT pending login token
codestringyes
methodType"totp" | "email" | "recovery"no

Complete login using a recovery code when the primary MFA method is unavailable.

Body

FieldTypeRequiredNotes
tokenstringyesJWT pending login token
codestringyesRecovery code

Resend the MFA code for a pending authentication challenge.

Body

FieldTypeRequiredNotes
tokenstringyesJWT pending login token

Generate WebAuthn assertion options for passkey-based MFA verification.

Body

FieldTypeRequiredNotes
mfaTokenstringyesJWT pending MFA token

Verify a WebAuthn assertion response and complete passkey authentication.

Body

FieldTypeRequiredNotes
mfaTokenstringyesJWT pending MFA token
assertionResponseobjectyesWebAuthn assertion from the browser

MCP Tools

No MCP tools mapped for this submodule.