Documentation Index
Fetch the complete documentation index at: https://docs.verifow.com/llms.txt
Use this file to discover all available pages before exploring further.
Overview
The Authentication module handles identity verification for all users and provides user lifecycle management within your tenant. Every API call (except login) requires a valid Bearer token in the Authorization header.
Common Workflows
New team member onboarding: A BANK_ADMIN creates a user account → The new user receives a welcome email → They log in and begin using the dashboard.
Session refresh: When your access token expires (every 15 minutes), use the refresh token to obtain a new pair without prompting for credentials again.
Permissions
| Action | Who Can Do It |
|---|
| Login, refresh token, view own profile | Anyone |
| List, create, update, deactivate users | BANK_ADMIN |
Endpoints
| Method | Endpoint | Description |
|---|
POST | /api/v1/auth/login | Authenticate and receive tokens |
POST | /api/v1/auth/refresh | Exchange refresh token for new access token |
GET | /api/v1/auth/me | Retrieve current user profile |
GET | /api/v1/auth/users | List all users in tenant |
POST | /api/v1/auth/users | Create a new user |
PATCH | /api/v1/auth/users/:id | Update user details or role |
DELETE | /api/v1/auth/users/:id | Deactivate a user |
Login
Authenticate with email and password to receive an access token and refresh token.
Request Body
| Field | Type | Required | Description |
|---|
email | string | ✅ | User’s registered email |
password | string | ✅ | User’s password |
curl -X POST /v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "analyst@bank.com",
"password": "SecurePass123!"
}'
{
"success": true,
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiresIn": 3600
}
}
{
"success": false,
"error": {
"code": "INVALID_CREDENTIALS",
"message": "Email or password is incorrect"
}
}
Refresh Token
Obtain a new access token without re-entering credentials.
Request Body
| Field | Type | Required | Description |
|---|
refreshToken | string | ✅ | The refresh token from login |
curl -X POST /v1/auth/refresh \
-H "Content-Type: application/json" \
-d '{ "refreshToken": "eyJhbG..." }'
{
"success": true,
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"expiresIn": 3600
}
}
Access tokens expire after 15 minutes (expiresIn: 900). Refresh tokens
expire after 7 days.
Get My Profile
Retrieve the currently authenticated user’s details, including their tenant.
Example Request
curl -X GET /v1/auth/me \
-H "Authorization: Bearer <access_token>"
{
"success": true,
"data": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"email": "analyst@bank.com",
"firstName": "Jane",
"lastName": "Smith",
"role": "ANALYST",
"isActive": true,
"lastLoginAt": "2026-05-16T10:00:00Z",
"createdAt": "2026-01-15T09:30:00Z",
"tenant": {
"id": "660e8400-e29b-41d4-a716-446655440001",
"name": "First Bank of Nigeria",
"slug": "first-bank",
"logoUrl": null,
"primaryColor": "#0F172A"
}
}
}
List Users
Retrieve all users within your tenant.
Query Parameters
| Parameter | Type | Default | Description |
|---|
page | integer | 1 | Page number |
limit | integer | 50 | Items per page (max 100) |
role | string | — | Filter by role |
curl -X GET "/v1/auth/users?page=1&limit=10" \
-H "Authorization: Bearer <access_token>"
{
"success": true,
"data": {
"items": [
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"email": "analyst@bank.com",
"firstName": "Jane",
"lastName": "Smith",
"role": "ANALYST",
"isActive": true,
"lastLoginAt": "2026-05-16T10:00:00Z",
"createdAt": "2026-01-15T09:30:00Z"
}
],
"total": 42,
"page": 1,
"limit": 10,
"totalPages": 5
}
}
Create User
Add a new user to your tenant. The new user will receive a welcome email with login instructions.
Request Body
| Field | Type | Required | Description |
|---|
email | string | ✅ | Unique email address |
password | string | ✅ | Minimum 8 characters |
firstName | string | ✅ | First name |
lastName | string | ✅ | Last name |
role | string | ✅ | BANK_ADMIN, COMPLIANCE_OFFICER, ANALYST, or AUDITOR |
curl -X POST /v1/auth/users \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"email": "new.officer@bank.com",
"password": "SecurePass123!",
"firstName": "Jane",
"lastName": "Smith",
"role": "COMPLIANCE_OFFICER"
}'
{
"success": true,
"data": {
"id": "770e8400-e29b-41d4-a716-446655440002",
"email": "new.officer@bank.com",
"firstName": "Jane",
"lastName": "Smith",
"role": "COMPLIANCE_OFFICER",
"isActive": true,
"lastLoginAt": null,
"createdAt": "2026-05-16T14:20:00Z"
}
}
{
"success": false,
"error": {
"code": "USER_ALREADY_EXISTS",
"message": "A user with this email already exists"
}
}
Update User
Modify a user’s details or role.
Path Parameters
| Parameter | Type | Description |
|---|
id | string | User UUID |
| Field | Type | Description |
|---|
firstName | string | Updated first name |
lastName | string | Updated last name |
role | string | New role assignment |
isActive | boolean | Activate or deactivate |
curl -X PATCH /v1/auth/users/770e8400-e29b-41d4-a716-446655440002 \
-H "Authorization: Bearer <access_token>" \
-H "Content-Type: application/json" \
-d '{
"role": "ANALYST",
"isActive": true
}'
{
"success": true,
"data": {
"id": "770e8400-e29b-41d4-a716-446655440002",
"email": "new.officer@bank.com",
"firstName": "Jane",
"lastName": "Smith",
"role": "ANALYST",
"isActive": true,
"lastLoginAt": null,
"createdAt": "2026-05-16T14:20:00Z"
}
}
Deactivate User
Soft-delete a user by deactivating their account.
Path Parameters
| Parameter | Type | Description |
|---|
id | string | User UUID |
curl -X DELETE /v1/auth/users/770e8400-e29b-41d4-a716-446655440002 \
-H "Authorization: Bearer <access_token>"
{
"success": true,
"data": {
"id": "770e8400-e29b-41d4-a716-446655440002",
"email": "new.officer@bank.com",
"firstName": "Jane",
"lastName": "Smith",
"role": "ANALYST",
"isActive": false,
"lastLoginAt": null,
"createdAt": "2026-05-16T14:20:00Z"
}
}
Deactivated users cannot log in but their audit history and case contributions
are preserved for compliance.
