Authentication API
Endpoints
POST /api/auth/registerPOST /api/auth/loginPOST /api/auth/logoutPOST /api/auth/token/refreshGET /api/auth/meGET /api/auth/oauth/{provider}/startGET /api/auth/oauth/{provider}/callback
Register
bash
curl -s -X POST http://127.0.0.1:3000/api/auth/register \
-H 'Content-Type: application/json' \
-d '{"email":"dev@example.com","password":"secret"}'Login
bash
curl -i -s -X POST http://127.0.0.1:3000/api/auth/login \
-H 'Content-Type: application/json' \
-d '{"email":"dev@example.com","password":"secret"}'Login response includes tokens and sets zeptoz_session cookie.
RBAC (current implementation)
Roles in Zeptoz:
owneradminmember
Default role on user registration is member.
Access rules in place
| Area | owner | admin | member |
|---|---|---|---|
Collection POST/PATCH/DELETE | allowed | allowed | forbidden |
Collection GET/list | allowed | allowed | allowed |
| File access to any file | allowed | allowed | not allowed |
| File access to own file | allowed | allowed | allowed |
Notes:
- Collection write operations enforce
owneroradmin. - Collection read/list operations require authentication but are not role-restricted.
- Files are authenticated;
membercan only download/delete files whereowner_idmatches the user.