Core Auth APIs
auth_loginauth_factor_verifyauth_password_reset
Getting Started
Connect your app to Auth2
Use Auth2 as the central identity provider for WESB apps with consistent login, reset, site policy, account status, and service-to-service identity controls.
Service APIs
service/user_resolvefirebase_custom_tokenauth_api_key_verify
Integration Rules
- Add
auth_user_idlocally - Keep credentials only in Auth2
- Use
X-Service-Keyfor server calls
Site Registry and Security
Current Runtime
Fallback Compatible
Unknown site_key values currently use default policy so existing clients keep working.
Why Register Sites
Policy Control
Registered sites can control login mode, reset mode, 2FA enforcement, site status, and branding.
Hardening Tips
Production Discipline
Register every production app, keep inactive sites disabled, and protect service APIs with a service key.
Is Site Registry Required?
| Area | Without Registered Site | With Registered Site |
|---|---|---|
| Login APIs | Fallback defaults | Saved policy |
| Password Reset APIs | Default reset policy | Per-site reset flags |
| Service APIs | Service key required | Service key required |
| Site Status | Not available | Can block inactive sites at login |
| Recommended For | Compatibility only | Production and staging apps |
Complete Auth2 Endpoint List
| Endpoint | Access | What It Does | Use It For |
|---|---|---|---|
POST /api/auth_login.php |
App | Validates email/password for a specific site_key. |
Primary login from web and mobile apps. |
POST /api/auth_factor_challenge.php |
App | Resends or issues the second-factor challenge token/code. | 2FA follow-up step when login requires an additional factor. |
POST /api/auth_factor_verify.php |
App | Verifies submitted OTP for the active login challenge. | Completing 2FA and finalizing login. |
GET /api/auth_me.php |
App | Returns the current signed-in Auth2 session user. | Session checks and profile bootstrap after login. |
POST /api/auth_logout.php |
App | Clears the active Auth2 user session. | Signing users out of Auth2-backed flows. |
POST /api/auth_password_reset_check.php |
App | Checks whether a reset token or OTP is valid before password entry. | Validating reset links and reset screens. |
POST /api/auth_password_reset_request.php |
App | Creates reset token or OTP and sends reset instructions. | Forgot-password flow in connected apps. |
POST /api/auth_password_reset_complete.php |
App | Consumes reset token and writes the new password hash. | Final step for password reset. |
POST /api/auth_onboarding_request.php |
App | Sends first-time setup OTP for a pending user. | Staff self-activation from the staff login screen. |
POST /api/auth_onboarding_check.php |
App | Checks onboarding token or OTP state before password setup. | Validating first-time setup screens. |
POST /api/auth_onboarding_complete.php |
App | Verifies onboarding OTP, saves password, and activates the account. | Completing first-time account setup. |
POST /api/auth_profile_update.php |
Staff | Updates allowed signed-in staff profile fields. | Staff profile maintenance without changing main email. |
POST /api/auth_profile_avatar.php |
Staff | Saves a cropped profile image for the signed-in user. | Staff profile picture updates. |
POST /api/auth_api_keys_create.php |
Staff | Creates an API key for the current Auth2 user. | User-owned API key provisioning. |
GET /api/auth_api_keys_list.php |
Staff | Lists API keys available to the current Auth2 user. | API key management screens. |
POST /api/auth_api_keys_revoke.php |
Staff | Revokes an existing API key for the current Auth2 user. | Retiring compromised or unused API keys. |
POST /api/auth_api_key_verify.php |
Service | Verifies whether an API key is active and valid. | Service trust checks for API-key based access. |
POST /api/auth_api.php |
Compatibility | Compatibility wrapper for older Auth2 API consumers. | Legacy clients that still call the consolidated auth API. |
POST /api/service/user_resolve.php |
Service | Resolves canonical identity payload by ID or email. | Backend user upsert and synchronization. |
POST /api/firebase_custom_token.php |
Service | Issues Firebase custom token with service-key protection. | Realtime and mobile integration with Firebase auth context. |
POST /api/admin/login.php |
Admin | Authenticates an Auth2 admin session. | Admin console login. |
GET /api/admin/me.php |
Admin | Returns the current signed-in admin session. | Admin console session checks. |
POST /api/admin/logout.php |
Admin | Clears the active admin session. | Admin console sign out. |
POST /api/admin/change_password.php |
Admin | Changes the signed-in admin password. | Admin account security maintenance. |
GET /api/admin/audit_list.php |
Admin | Returns audit log records. | Reviewing admin, user, and auth events. |
POST /api/admin/user_create.php |
Admin | Creates a pending identity user in Auth2. | Central staff onboarding from admin console. |
POST /api/admin/user_update.php |
Admin | Updates identity fields, email, status, or password. | Central account maintenance. |
GET /api/admin/user_list.php |
Admin | Lists Auth2 identity users. | Admin user registry table. |
POST /api/admin/user_disable.php |
Admin | Marks an identity user inactive/disabled. | Blocking access without deleting the identity record. |
POST /api/admin/user_delete.php |
Admin | Deletes an Auth2 identity user. | Removing test or obsolete accounts. |
POST /api/admin/user_onboarding_resend.php |
Admin | Legacy endpoint for resending onboarding delivery. | Compatibility with older admin onboarding behavior. |
POST /api/admin/site_create.php |
Admin | Registers a new app and initial auth settings. | Onboarding new WESB systems into Auth2. |
POST /api/admin/site_update.php |
Admin | Updates a registered site's profile and authenticator policy. | Maintaining site registry records. |
GET /api/admin/site_list.php |
Admin | Lists registered sites and their policy values. | Authenticator policy table and edit modal. |
POST /api/admin/site_delete.php |
Admin | Deletes site registration and linked policy settings. | Removing obsolete apps from Auth2 control. |
POST /api/admin/policy_update.php |
Admin | Updates per-site auth mode and security flags. | Enable 2FA, adjust reset behavior, and manage site policy. |
POST /api/auth_register.php |
Legacy | Legacy registration compatibility endpoint. | Kept for compatibility; central admin-created accounts are preferred. |
POST /api/auth_register_start.php |
Legacy | Starts legacy self-registration flow. | Older registration integrations only. |
POST /api/auth_register_verify.php |
Legacy | Verifies legacy self-registration OTP/token. | Older registration integrations only. |