Authentication

These endpoints live on the App API. The separate Food API owns the public ingredient catalog.

POST /api/auth/register

Create a new user account.

Request body

{
  "email": "user@example.com",
  "password": "securepassword",
  "name": "Alice"
}

Response 201 Created

{
  "id": "uuid",
  "email": "user@example.com",
  "name": "Alice"
}

POST /api/auth/login

Authenticate and receive tokens.

Request body

{
  "email": "user@example.com",
  "password": "securepassword"
}

Response 200 OK

{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 900
}

The refresh_token is set as an httpOnly cookie (Set-Cookie: refresh_token=...).

POST /api/auth/refresh

Obtain a new access token using the refresh cookie.

Sends no body. The browser/Dio cookie jar forwards the refresh cookie automatically.

Response 200 OK

{
  "access_token": "eyJ...",
  "token_type": "Bearer",
  "expires_in": 900
}

POST /api/auth/logout

Revoke the refresh token.

No body required. Deletes the refresh token from the database. The httpOnly cookie is also cleared.

Response 200 OK

{ "message": "Logged out successfully" }

POST /api/auth/onboarding

Complete the user profile after registration.

Request body

{
  "household_size": 2,
  "dietary_restrictions": ["vegetarian"],
  "allergies": ["nuts"],
  "health_goals": ["weight_loss"],
  "cooking_skill": "intermediate"
}

cooking_skill values: beginner | intermediate | advanced

Response 200 OK

Returns the updated user object.

POST /api/me/change-password

Change the authenticated user's password.

Request body

{
  "current_password": "oldpassword",
  "new_password": "newpassword"
}

Response 200 OK

{ "message": "Password changed successfully" }

DELETE /api/me

Permanently delete the authenticated user's account and all associated data.

Response 204 No Content