Skip to main content
Upcoming Mid April 2026

Check Email Availability

Check if an email address is registered in the system.

POST /identity/user/email/check-availability

Request Body

email
string
required
The email address to check.
cURL
curl -X POST "https://api-staging.internal-aui.io/api/outer-bridge/identity/user/email/check-availability" \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com"}'

{
  "status": true,
  "data": { "isAvailableEmail": false },
  "message": "string"
}

Best Practices

  • Call before OTP — Always check availability before sending an OTP. If isAvailableEmail is true, the email is not registered and OTP will fail.
  • Do not expose results to end users — Avoid leaking whether an email is registered. Use generic messages like “If this email is registered, you will receive a code.”

Send OTP

Send a one-time password to an email address for authentication.

POST /identity/user/otp/email

Request Body

email
string
required
The email address to send the OTP to.
cURL
curl -X POST "https://api-staging.internal-aui.io/api/outer-bridge/identity/user/otp/email" \
  -H "Content-Type: application/json" \
  -d '{"email": "user@example.com"}'

{
  "status": true,
  "data": { "email": "user@example.com" },
  "message": "string"
}

Best Practices

  • Rate limit OTP requests — Implement client-side throttling (e.g., 60-second cooldown) to prevent spamming the endpoint.
  • OTPs expire quickly — Codes are short-lived. Prompt the user to enter the code immediately after receiving it.
  • Handle delivery delays — Allow users to request a new OTP if the first one doesn’t arrive within 30 seconds, but don’t allow more than 3 attempts per minute.

Login with OTP

Authenticate using email and OTP code.

POST /identity/user/login

Request Body

email
string
required
The email address.
password
string
required
The OTP code received via email.
isOTP
boolean
required
Must be true for OTP-based login.
cURL
curl -X POST "https://api-staging.internal-aui.io/api/outer-bridge/identity/user/login" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "123456",
    "isOTP": true
  }'

{
  "status": true,
  "data": {
    "token": "jwt-string",
    "refreshToken": "refresh-token-string",
    "user": {
      "_id": "string",
      "id": "string",
      "email": "string",
      "status": "string"
    },
    "roles": [],
    "organizationId": "string"
  },
  "message": "string"
}

Best Practices

  • Store both tokens — Persist token and refreshToken securely. Use the refresh token to obtain a new JWT when the current one expires.
  • Extract organizationId — The login response includes the user’s default organization. Use it to set the organization-id header for subsequent requests.
  • Handle invalid OTP gracefully — After 3 failed attempts, prompt the user to request a new OTP rather than retrying the same code.
  • Never log tokens — Avoid writing JWTs or refresh tokens to application logs.

Logout

Invalidate the current session.

POST /identity/user/logout

Request Body

Empty object {}.
cURL
curl -X POST "https://api-staging.internal-aui.io/api/outer-bridge/identity/user/logout" \
  -H "Content-Type: application/json" \
  -H "auth-token: your-jwt-token" \
  -d '{}'

{
  "status": true,
  "message": "string"
}

Best Practices

  • Always call logout on session end — Don’t rely on token expiry alone. Explicitly invalidate the session to prevent token reuse.
  • Clear local state — After logout, delete the stored JWT, refresh token, and any cached session data (account ID, organization ID, etc.).