Shop It Docs
Developer Resourcesauth

Auth Module API & Integration Guide

Endpoint reference for admin auth and customer mobile auth, including Google OAuth customer flow and edge-case behavior.

Auth - API & Integration Guide

1. Route Surfaces

Auth is split across two surfaces:

  • Admin / backoffice auth: /api/auth/*
  • Customer mobile auth: /api/mobile/auth/*

Google OAuth is customer-only and is exposed only on /api/mobile/auth/*.

2. Endpoint Reference

2.1 Admin auth (/api/auth/*)

MethodPathAuthDescription
POST/api/auth/login/emailPublicAdmin email/password login
POST/api/auth/password/forgotPublicRequest password reset
POST/api/auth/password/resetPublicReset password via token or OTP
POST/api/auth/email/verify/resendPublicResend email verification
POST/api/auth/email/verify/confirmPublicConfirm email verification
POST/api/auth/refreshPublicRotate refresh/access tokens
GET/api/auth/meJWTGet current user profile
GET/api/auth/permissionsJWTGet current user permissions
POST/api/auth/phone/verify/requestJWTSend phone verification OTP
POST/api/auth/phone/verify/confirmJWTConfirm phone verification OTP
DELETE/api/auth/logoutJWTLogout current session

2.2 Customer mobile auth (/api/mobile/auth/*)

MethodPathAuthDescription
POST/api/mobile/auth/registerPublicCustomer register (email/password)
POST/api/mobile/auth/login/emailPublicCustomer email/password login
GET/api/mobile/auth/googlePublicStart Google OAuth redirect
GET/api/mobile/auth/google/callbackPublicGoogle callback; returns user + tokens
POST/api/mobile/auth/refreshPublicRotate refresh/access tokens
POST/api/mobile/auth/password/forgotPublicRequest password reset
POST/api/mobile/auth/password/resetPublicReset password via token or OTP
POST/api/mobile/auth/email/verify/resendPublicResend email verification
POST/api/mobile/auth/email/verify/confirmPublicConfirm email verification
GET/api/mobile/auth/meJWTGet current user profile
DELETE/api/mobile/auth/logoutJWTLogout current session

3. Key Contracts

3.1 Customer email login

POST /api/mobile/auth/login/email

{
  "email": "customer@example.com",
  "password": "StrongPass123",
  "deviceInfo": {
    "deviceId": "android-abc",
    "deviceType": "android",
    "deviceName": "Pixel",
    "fcmToken": "optional-fcm-token"
  }
}

3.2 Google callback success shape (customer)

GET /api/mobile/auth/google/callback

{
  "message": "Google login successful.",
  "data": {
    "user": {
      "id": "uuidv7",
      "name": "Tenzin Sherpa",
      "email": "tenzin@example.com",
      "image": "https://lh3.googleusercontent.com/...",
      "emailVerified": true,
      "phone": null,
      "phoneVerified": false,
      "role": "customer"
    },
    "tokens": {
      "sessionId": "uuidv7",
      "accessToken": "<jwt>",
      "refreshToken": "<opaque-token>"
    }
  }
}

4. Google OAuth Behavior Matrix (Actual Runtime)

Google auth is handled by AuthService.handleGoogleOAuth() and has the following behavior:

ScenarioResult
Google profile has no email400 BadRequest (Google account must have an email.)
Email belongs to admin account401 Unauthorized (Google login is not available for admin accounts.)
Existing customer with Google account linkUpdates provider tokens and logs in
Existing customer without Google account linkCreates account provider link and logs in
Existing customer with emailVerified=falseMarks emailVerified=true, then logs in
No existing customerAuto-creates customer + Google account link, then logs in

Important note for pending email-verification users

If a customer registered via email/password but did not verify email yet, successful Google login with the same email will mark the customer as verified and issue tokens.

5. Operational Notes

Required Google env keys:

  • GOOGLE_CLIENT_ID
  • GOOGLE_CLIENT_SECRET
  • GOOGLE_CALLBACK_URL

Callback URL must match mobile auth callback route:

  • Example: if PORT=5002, use http://localhost:5002/api/mobile/auth/google/callback

6. Guardrail Summary

  • Superadmin/admin login is email/password only.
  • Customer Google login/signup is mobile auth only.
  • There is no Google OAuth endpoint under /api/auth/google*.

Catalog Product Feature List

Product module feature contract across admin, customer, and mobile surfaces.

Auth Module Backend Documentation

Internal auth architecture with split admin/customer controllers and Google OAuth customer-only behavior.

On this page

Auth - API & Integration Guide1. Route Surfaces2. Endpoint Reference2.1 Admin auth (/api/auth/*)2.2 Customer mobile auth (/api/mobile/auth/*)3. Key Contracts3.1 Customer email login3.2 Google callback success shape (customer)4. Google OAuth Behavior Matrix (Actual Runtime)Important note for pending email-verification users5. Operational Notes6. Guardrail Summary