API Authentication
The LearnHouse API supports JWT cookies for browser sessions and API tokens for programmatic access.
JWT Authentication
The login endpoint accepts application/x-www-form-urlencoded data with username (the user’s email) and password fields, and returns a JWT access token (HS256, expires in 8 hours):
curl -X POST http://localhost:1338/api/v1/auth/login \
-F 'username=you@example.com' \
-F 'password=your-password'Then authenticate requests via the Authorization header:
curl http://localhost:1338/api/v1/users/profile \
-H "Authorization: Bearer <access_token>"The token is also set as an access_token_cookie for browser-based sessions. Use GET /api/v1/auth/refresh to renew expired tokens within the 30-day refresh window.
Logins are rate-limited by IP, and repeated failed attempts temporarily lock the account. SaaS deployments also require email_verified=true before login succeeds.
API Tokens
API tokens are available on the Pro plan. Create and manage them in organization settings.
For programmatic access, use API tokens (prefixed with lh_):
curl http://localhost:1338/api/v1/users/profile \
-H "Authorization: Bearer lh_your_api_token_here"Auth Endpoints
| Method | Endpoint | Description |
|---|---|---|
POST | /api/v1/auth/login | Login with form-encoded username + password |
GET | /api/v1/auth/refresh | Refresh an expired token |
DELETE | /api/v1/auth/logout | Invalidate the session |
POST | /api/v1/auth/oauth | Google OAuth login |
POST | /api/v1/auth/verify-email | Verify email address |
POST | /api/v1/auth/resend-verification | Resend a verification email |
