Kernia
Reference

Routes Reference

Core Kernia routes and how plugin routes are mounted.

All routes are mounted under KerniaOptions.base_path. This page shows routes with the common /api/auth mount. If your backend mounts at a different path, replace /api/auth with your configured path.

Route conventions

  • Request and response bodies are JSON unless a provider callback requires query parameters.
  • Mutating routes use POST, PATCH, or DELETE.
  • Cookies are set by the server and must be sent by the browser with credentials: "include".
  • Plugin routes use the same mount, error envelope, hooks, cookies, and rate limiter as core routes.

Health

GET/api/auth/ok

Health check for the mounted auth router.

Email and password

POST/api/auth/sign-up/email

Create an email/password user when email/password auth is enabled.

POST/api/auth/sign-in/email

Sign in with email and password and set the session cookie.

POST/api/auth/change-password

Change the active user's password.

POST/api/auth/forget-password

Send a password reset email when the email client is configured.

POST/api/auth/reset-password

Consume a password reset token and set a new password.

Sessions

GET/api/auth/get-session

Return the current session and user, or null when no valid session cookie exists.

POST/api/auth/sign-out

Revoke the active session and clear auth cookies.

GET/api/auth/list-sessions

List sessions for the active user.

POST/api/auth/revoke-session

Revoke one session by id.

POST/api/auth/revoke-sessions

Revoke all sessions for the active user.

POST/api/auth/revoke-other-sessions

Revoke every other session and keep the current one.

User and account

POST/api/auth/update-user

Update user profile fields exposed by the configured schema.

POST/api/auth/change-email

Start or complete an email change flow, depending on verification configuration.

POST/api/auth/delete-user

Delete or schedule deletion for the active user.

GET/api/auth/list-accounts

List linked accounts for the active user.

POST/api/auth/unlink-account

Unlink a social or OAuth account when policy allows it.

OAuth

POST/api/auth/sign-in/social

Start a social OAuth flow. The body includes provider and an optional callback_url.

GET/api/auth/callback/:provider

Handle provider callbacks, exchange the code, link or create the user, set cookies, and redirect.

Plugin route families

PluginRoute family
API key/api/auth/api-key/*
Organization/api/auth/organization/*
Passkey/api/auth/passkey/*
SSO/api/auth/sso/*
SCIM/api/auth/scim/*
Stripe/api/auth/stripe/*, /api/auth/billing/*
Admin config/api/auth/admin/config/*

Error envelope

{
  "code": "UNAUTHORIZED",
  "message": "Authentication required",
  "status": 401
}

Clients should branch on code, not localized message text.

Resources

Useful packages, examples, and test utilities in the Kernia repository.

Security Reference

Security controls and deployment checks for Kernia.

On this page

Route conventionsHealthEmail and passwordSessionsUser and accountOAuthPlugin route familiesError envelope