API Reference
The YorAuth API is organized around REST. It accepts JSON request bodies, returns JSON responses, and uses standard HTTP response codes, authentication, and error formats.
Base URL
https://api.yorauth.com
All multi-tenant endpoints include the application ID in the path:
https://api.yorauth.com/api/v1/applications/{applicationId}/...
Authentication
The API uses JWT Bearer token authentication for all V1 endpoints.
JWT Bearer Token
All V1 endpoints require a short-lived JWT access token obtained after login. Pass the token in the Authorization header.
GET /api/v1/applications/{applicationId}/users/{userId}/profile
Authorization: Bearer eyJhbGciOiJSUzI1NiJ9...
Access tokens expire after 15 minutes (expires_in: 900). Use the refresh token endpoint to obtain a new access token without requiring the user to log in again.
API Keys
API keys are credentials that can be created per application via the dashboard. They are used as application-level identifiers and secrets for server-to-server workflows (such as fetching a user token on behalf of your backend). API key management is available via the Dashboard API — see API Keys.
Dashboard Endpoints (Sanctum Cookie)
The /api/dashboard/ endpoints are used by the YorAuth web dashboard and rely on Sanctum session cookies. These are not intended for direct API consumption.
Rate Limiting
Rate limits are enforced per application and per IP address. Limits vary by endpoint:
| Endpoint group | Limit |
|---|---|
| Login | 10 requests / 1 min per IP |
| Registration | Configurable per application |
| Password reset / magic link | 3 requests / 5-15 min per email |
| General API | Plan-based (throttle tier) |
When a rate limit is exceeded the API returns 429 Too Many Requests with the following headers:
X-RateLimit-Limit: 10
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1707750600
Retry-After: 60
Request Format
All POST and PUT requests must send a JSON body with Content-Type: application/json.
Response Format
Success
Successful responses wrap data in a data key:
{
"data": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"email": "user@example.com",
"name": "Alice"
}
}
List endpoints return a paginated envelope:
{
"data": [...],
"current_page": 1,
"last_page": 4,
"per_page": 15,
"total": 58
}
Errors
All errors follow the standard error envelope:
{
"error": {
"code": "AUTH_INVALID_CREDENTIALS",
"message": "The email or password you entered is incorrect.",
"details": {},
"request_id": "req_1a2b3c4d",
"timestamp": "2026-02-25T12:00:00Z"
}
}
See the Error Codes reference for the full catalog.
Pagination
List endpoints that return multiple records support pagination via query parameters:
| Parameter | Default | Description |
|---|---|---|
page | 1 | Page number |
per_page | 15 | Records per page (max 100) |
Sections
- Authentication — Register, login, logout, password reset, magic links, MFA
- Users — User profile, sessions, GDPR data export
- Roles — RBAC role CRUD and user role assignment
- Permissions — Permission management and authorization checks
- Applications — Application management (dashboard)
- Webhooks — Webhook configuration and delivery history
- API Keys — API key lifecycle management
- OIDC — OpenID Connect provider endpoints
- OAuth — OAuth token exchange
- Error Codes — Complete error code reference