AuthFlow
Quick Setup Guide

Get started withAuthFlow

Add secure Token-based authentication to your app in minutes. Follow our simple setup guide and you'll be up and running in no time.

Three simple steps to secure authentication

Follow these steps to integrate AuthFlow into your application.

1

Create Your Account

Sign up for AuthFlow and create your first project. You'll get your server-side API key instantly.

Organization NameAcme, Inc.
API Keyaf_1234567890abcdef
2

Integrate Auth Endpoints

Use our /auth endpoints from your backend to handle user authentication. All endpoints require your organization's API key.

API Key Required

All /auth endpoints require your organization's API key in JWT tokens

Backend Integration

Call from your server-side code, never expose API keys to frontend

Session Management

Handle user sessions with JWT tokens containing org API key

API Integration Overview
// 1. Get temporary token
GET /auth/fooBar?identity=user@email.com
// 2. User signup with API key
GET /auth/signUp?foobar=...&api_key=af_...&email=...
// 3. User login (returns session token)
GET /auth/login?foobar=...&email=...&password=...&org_id=...
// 4. Validate session
GET /auth/validate?sessionToken=...&email=...
3

Add Authentication

Wrap your app with your provider and start using authentication components. It's that simple!

App.jsx
import axios from 'axios'
function
App
() {
return
(
<AuthFlowSession />
)
}

/auth API Endpoints Technical Guide

Complete technical documentation for integrating AuthFlow's user authentication endpoints into your backend applications.

API Key Configuration

Your organization's API key is embedded in all JWT tokens for /auth endpoints. Store this securely in your backend environment variables.

# Environment Variables
AUTHFLOW_API_KEY=af_your_api_key_here
AUTHFLOW_BASE_URL=https://api.authflow.net

Security Note: Never expose your API key in frontend code or client-side JavaScript. All /auth endpoint calls must be made from your backend server.

GET /auth/fooBar

Generate temporary anti-abuse tokens for authentication flows

Parameters:

  • identity (string): User's email address

Response:

{
  "token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9..."
}

Node.js Example:

const response = await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/fooBar?identity=user@example.com');
const foobarToken = response.data.token;
GET /auth/signUp

Create new user accounts within your organization

Parameters:

  • foobar (string): Token from /auth/fooBar
  • api_key (string): Your organization's API key
  • email (string): User's email address
  • password (string): User's password (8-32 chars, uppercase, lowercase, number, special char)
  • fullname (string): User's full name
  • disclaimed (string): Must be "true"

Response:

{
  "statusCode": 200,
  "message": "User profile created successfully."
}

Node.js Example:

const signupData = {
  foobar: foobarToken,
  api_key: process.env.AUTHFLOW_API_KEY,
  email: 'user@example.com',
  password: 'SecurePass123!',
  fullname: 'John Doe',
  disclaimed: 'true'
};
const response = await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/signUp', { params: signupData });
GET /auth/login

Authenticate users and receive session tokens

Parameters:

  • foobar (string): Token from /auth/fooBar
  • email (string): User's email address
  • password (string): User's password
  • org_id (string): Your organization's UUID

Response:

{
  "token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9..."
}

The returned JWT contains: email, org_id, and your api_key

Node.js Example:

const loginData = {
  foobar: foobarToken,
  email: 'user@example.com',
  password: 'SecurePass123!',
  org_id: 'your-org-uuid'
};
const response = await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/login', { params: loginData });
const sessionToken = response.data.token; // Store securely for user session
GET /auth/validate

Validate user session tokens and check authentication status

Parameters:

  • sessionToken (string): JWT from /auth/login
  • email (string): User's email address

Response:

HTTP 200 (valid session) or HTTP 401 (invalid session)

Node.js Example:

try {
  await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/validate', {
    params: { sessionToken, email: 'user@example.com' }
  });
  // Session is valid
} catch (error) {
  if (error.response?.status === 401) {
    // Session invalid, redirect to login
  }
}
GET /auth/changePassword

Allow authenticated users to change their passwords

Parameters:

  • sessionToken (string): JWT from /auth/login
  • email (string): User's email address
  • newPassword (string): New password (same complexity requirements)

Response:

HTTP 200 (password changed successfully)

Node.js Example:

const changeData = {
  sessionToken,
  email: 'user@example.com',
  newPassword: 'NewSecurePass456!'
};
await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/changePassword', { params: changeData });
GET /auth/logout

End user sessions securely

Parameters:

  • sessionToken (string): JWT from /auth/login
  • email (string): User's email address

Response:

HTTP 200 (logout successful)

Node.js Example:

await axios.get(process.env.AUTHFLOW_BASE_URL + '/auth/logout', {
  params: { sessionToken, email: 'user@example.com' }
});
// Clear session from your app's storage
Complete Backend Integration Example
// authService.js - Backend Authentication Service
const axios = require('axios');

class AuthFlowService {
  constructor() {
    this.baseURL = process.env.AUTHFLOW_BASE_URL;
    this.apiKey = process.env.AUTHFLOW_API_KEY;
    this.orgId = process.env.AUTHFLOW_ORG_ID;
  }

  async getFoobarToken(email) {
    const response = await axios.get(this.baseURL + '/auth/fooBar', {
      params: { identity: email }
    });
    return response.data.token;
  }

  async signUp(userData) {
    const foobarToken = await this.getFoobarToken(userData.email);
    const params = {
      ...userData,
      foobar: foobarToken,
      api_key: this.apiKey
    };
    return axios.get(this.baseURL + '/auth/signUp', { params });
  }

  async login(email, password) {
    const foobarToken = await this.getFoobarToken(email);
    const params = {
      foobar: foobarToken,
      email,
      password,
      org_id: this.orgId
    };
    const response = await axios.get(this.baseURL + '/auth/login', { params });
    return response.data.token; // JWT with embedded API key
  }

  async validateSession(sessionToken, email) {
    try {
      await axios.get(this.baseURL + '/auth/validate', {
        params: { sessionToken, email }
      });
      return true;
    } catch (error) {
      return false;
    }
  }

  async logout(sessionToken, email) {
    return axios.get(this.baseURL + '/auth/logout', {
      params: { sessionToken, email }
    });
  }
}

module.exports = AuthFlowService;

Implementation Notes:

  • • Store session tokens securely (HTTP-only cookies recommended)
  • • Validate sessions on protected routes before processing requests
  • • Handle token expiration and refresh as needed
  • • Log authentication events for security monitoring
Error Handling & Security

Common HTTP Status Codes:

  • 200: Success
  • 400: Bad Request (missing/invalid parameters)
  • 401: Unauthorized (invalid tokens, wrong API key, etc.)
  • 404: User not found
  • 409: Organization already exists (signup)
  • 500: Server error

Security Best Practices:

  • • Always validate JWT tokens before processing requests
  • • Use HTTPS for all API calls
  • • Implement rate limiting on authentication endpoints
  • • Store session tokens in HTTP-only, secure cookies
  • • Log all authentication attempts for security monitoring
  • • Never log sensitive data like passwords or API keys

Critical: All /auth endpoints must be called from your backend server only. Never expose your API key or make these calls from client-side JavaScript, as this would compromise your organization's security.

What you get outta-the-box

Wire the endpoints, we provide you the Sessions. It's that simple! 🤝

Ready to add authentication?

Start your free trial today, have authentication running by end of day.