API Reference

Create account and send verification email.

Preview verification token state.

Verify token + password hash and activate account.

Request body

{
  "token": "verification_token",
  "password_hash": "sha256_hex"
}

Resend verification email for a pending account.

Request body

{
  "username": "alice"
}

Sign in and fetch encrypted key, pubkey, relays, and role.

Request body

{
  "username": "alice",
  "password_hash": "sha256_hex"
}

Update password/key bundle, relays, and profile picture. Auth accepts `password` or `password_hash`.

Request body

{
  "username": "alice",
  "password": "current_password",
  "updates": {
    "new_password": "new_password",
    "public_key": "64_char_hex",
    "private_key_encrypted": "ncryptsec1...",
    "relays": ["wss://relay.example.com"],
    "profile_picture_data": "base64",
    "profile_picture_content_type": "image/png"
  }
}

Credential rotation requires `new_password` or `new_password_hash` together with `public_key` and `private_key_encrypted`.

Delete authenticated account permanently.

Admin/moderator user listing.

Admin/moderator verification of pending accounts.

Admin-only role assignment (`user`, `moderator`, `admin`), including self-downgrade with immediate permission changes.

Admin/moderator user deletion (requires confirm_username matching target_username).

Fetch profile picture by pubkey (`hex`/`npub`) or username.

NIP-05 verification + Noas metadata (without `name`).

Health status endpoint.

NIP-46 signer metadata and supported methods.

Generate bunker connection URL for active account.

Process `nostrconnect://` client handshake.

Handle encrypted NIP-46 request events.

Supported aliases: `/signin`, `/update`, `/delete`, `/picture/:identifier`, `/health`, `/nip46/*`. Removed with `410`: `/register`, `/onboarding/start`, `/onboarding/complete`, `/verify-email` (POST). `/verify-email` (GET) redirects to `/verify`.