-
Endpoints that require CSRF (cookie-based or session-based state-changing requests):
When the client sends cookies (e.g. browser), state-changing methods (POST, PUT, PATCH, DELETE) must include theX-CSRF-Tokenheader matching thecsrf_tokencookie. The server sets the CSRF cookie on login and register.POST /api/v1/auth/registerPOST /api/v1/auth/loginPOST /api/v1/auth/logoutPOST /api/v1/auth/refreshPOST /api/v1/auth/password-resetPOST /api/v1/auth/password-reset/confirmPOST /api/v1/auth/verify-emailPOST /api/v1/auth/mfa-verifyPOST /api/v1/auth/magic-link/requestPOST /api/v1/auth/magic-link/consumePOST /api/v1/auth/mfa/sms/send
-
Endpoints that use only Authorization (Bearer token or API key):
No CSRF token is required. UseAuthorization: Bearer <access_token>or the API key header.- All routes under
/api/v1that useAuthRequired(organizations, users, MFA, OAuth client CRUD, API keys, webhooks, members, SAML metadata/SP CRUD, LDAP config CRUD, SCIM Users/Groups) except the auth routes above. GET /api/v1/oauth/authorize(when authenticated via Bearer)
- All routes under
-
Public endpoints (no auth):
GET /health,GET /ready,GET /.well-known/jwks.jsonPOST /api/v1/auth/register,POST /api/v1/auth/login(CSRF required when cookies are sent)- OAuth:
POST /oauth/token,GET /oauth/userinfo(token in form or Bearer)
- A01 Broken Access Control: JWT and API key validation; session bound to user/org; RBAC where applicable.
- A02 Cryptographic Failures: Passwords hashed (bcrypt/argon2); TOTP and webhook secrets encrypted at rest; TLS in production.
- A03 Injection: Input validation and parameterized queries; use of validator and prepared statements.
- A07 Identification and Authentication Failures: Lockout, MFA, secure session and refresh handling; OAuth PKCE and client_secret for confidential clients.
- CSRF: Double-submit cookie on cookie-based auth routes (see above).
- Secrets: No secrets in logs; client secret shown once on OAuth client create; webhook secrets encrypted.