Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.linkutm.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

All API endpoints authenticate with a JWT bearer token. Tokens are issued by signup (OTP verification), login, or Google OAuth, and carried on every request: 
Authorization: Bearer <jwt_token>
Auth endpoints live under /api/v1/auth and do not require the x-workspace-id header.

Signup (OTP flow)

Account creation is a two-step flow: request an OTP, then verify it.

Step 1: Send OTP

POST /api/v1/auth/send-otp
email
string
required
Email address for the new account.
name
string
required
Display name.
password
string
required
Account password. Minimum 8 characters.
Sends a one-time code to the email. The account is not created yet.

Step 2: Verify OTP

POST /api/v1/auth/verify-otp
email
string
required
Same email used in send-otp.
otp
string
required
The code from the email. Minimum 6 characters.
On success the account is created and a JWT is returned. 
{
  "token": "<jwt_token>",
  "user": { "id": "1a2b3c4d-...", "name": "Jane", "email": "jane@example.com" }
}

Resend OTP

POST /api/v1/auth/resend-otp
email
string
required
Email to resend the code to. Use when the original code expired or was not received.

Login

POST /api/v1/auth/login
email
string
required
Account email.
password
string
required
Account password.
Returns a JWT and the user object, same shape as verify-otp. 
curl -X POST https://api.linkutm.com/api/v1/auth/login \
  -H "Content-Type: application/json" \
  -d '{ "email": "jane@example.com", "password": "<password>" }'

Password management

Forgot password

POST /api/v1/auth/forgot-password
email
string
required
Email to send a password-reset link to.

Reset password

POST /api/v1/auth/reset-password
token
string
required
Reset token from the email link.
newPassword
string
required
New password. Minimum 8 characters.

Change password

POST /api/v1/auth/change-password
Authenticated. Requires a valid JWT.
currentPassword
string
required
The current password, for verification.
newPassword
string
required
New password. Minimum 8 characters.

Profile

GET /api/v1/auth/profile
Returns the currently authenticated user. 
curl https://api.linkutm.com/api/v1/auth/profile \
  -H "Authorization: Bearer $TOKEN"

Sessions

Each sign-in creates a session record. The user-agent header on the request is captured so users can identify devices.

List sessions

GET /api/v1/auth/sessions
Returns the authenticated user’s active sign-in sessions.

Revoke one session

DELETE /api/v1/auth/sessions/:sessionId
Signs out the specified session.

Revoke all sessions

DELETE /api/v1/auth/sessions
Signs out everywhere - revokes every session for the user.

Google OAuth

GET /api/v1/auth/google
GET /api/v1/auth/google/callback
Redirect the browser to GET /auth/google to start the Google OAuth flow. After Google authenticates the user, the callback redirects to: 
<FRONTEND_URL>/auth/google/callback?token=<jwt>
Read the token query parameter from that redirect and use it as the bearer token.
The Google OAuth endpoints are browser-redirect endpoints, not JSON APIs. Do not call them with fetch/curl expecting a JSON body.

Errors

CodeWhen
400Validation failure - missing fields, password too short, invalid OTP
401Wrong credentials, expired or invalid JWT, expired reset token
409Email already registered
429Rate limit exceeded (100 requests/minute per IP)
See Errors for the full error envelope.