Authentication & accounts

Your app's end-users sign up and log in through the /account service. A successful login returns a session; the client sends it back on every request (the SDK handles this automatically via a cookie, or you pass the secret in X-Appwrite-Session).

Sign up & log in

curl
# Create an account
curl -X POST "https://base.finiteskills.com/v1/account" -H "X-Appwrite-Project: <YOUR_PROJECT_ID>" \
  -H "Content-Type: application/json" \
  -d '{"userId":"unique()","email":"user@example.com","password":"password123","name":"Jane"}'

# Create a session (log in)
curl -X POST "https://base.finiteskills.com/v1/account/sessions/email" -H "X-Appwrite-Project: <YOUR_PROJECT_ID>" \
  -H "Content-Type: application/json" \
  -d '{"email":"user@example.com","password":"password123"}'

Read the current account with GET /account, list sessions, and log out with DELETE /account/sessions/current.

Login methods

  • Email + passwordPOST /account/sessions/email.
  • AnonymousPOST /account/sessions/anonymous; later upgrade with PATCH /account/email to attach an email + password.
  • Magic linkPOST /account/tokens/magic-url emails a link; complete with POST /account/sessions/token.
  • Email OTPPOST /account/tokens/email sends a 6-digit code.
  • Phone OTPPOST /account/tokens/phone (requires an SMS gateway to be configured for the deployment).
  • OAuth / OIDCGET /account/sessions/oauth2/{provider} for Google, GitHub, or a generic OIDC provider your project admin configures.

Two-factor (TOTP)

A signed-in user can enable authenticator-app 2FA:

Flow
POST /account/mfa/totp        -> { secret, uri }   (show the uri as a QR code)
PUT  /account/mfa/totp        -> { recoveryCodes } (verify a 6-digit code to enable)
# Afterwards, email login also requires an `otp` field:
POST /account/sessions/email  { email, password, otp }

Email verification & password reset

POST /account/verifications/email sends a verification link; POST /account/recovery starts a password reset. When the deployment has email configured, the link is emailed; otherwise the token is returned in the response for your app to deliver.

JWTs for your own backend

POST /account/jwt returns a short-lived JWT the client can forward to your backend, which passes it to FiniteBase as X-Appwrite-JWT to act as that user.