Auth H3 Client

Routes Reference

Complete reference for every HTTP route registered by Auth H3 Client. Covers all four route registrars, middleware chains, request bodies, query parameters, cookies, and response shapes.

The module ships four route registrars that mount authentication, OAuth, magic link, and bounce routes on an H3 router or app. It also exports two standalone handlers: getAuthStatusHandler for session status checks and getApiListsController for API token inventory routes. Register them explicitly during startup by calling each registrar with your router or app instance, as shown in the H3 and Nitro setup guide. When using the Nuxt module, the registrars are still configured in your Nitro plugin, while the module auto-registers the auth status route regardless of enableMiddleware, and can optionally auto-register the API token list route when registerApiRoute is configured.

H3 v2

import { H3 } from 'h3'
import {
  configuration,
  useAuthRoutes,
  useOAuthRoutes,
  bounceRouter,
  magicLinksRouter,
} from 'auth-h3client/v2'

configuration({ /* ... */ })

const app = new H3()
useAuthRoutes(app)
useOAuthRoutes(app)
bounceRouter(app)
magicLinksRouter(app, 'api')

All routes registered by this module are separate from your application's own API routes. They handle authentication flows and proxy to the IAM service. Your own protected routes use the event handler wrappers described in the Middleware Reference.

For the global middleware chain applied before any route handler runs, see Security: Request Lifecycle.

`useAuthRoutes`

Core signup, login, and logout routes. Every route in this registrar verifies the CSRF cookie before the handler runs.

Proxies the request body to the IAM /auth/signup endpoint. On success, sets the __Secure-a and a-iat cookies and redirects to onSuccessRedirect. Returns JSON for requests with Accept: application/json.

Middleware chain

`verifyCsrfCookie`

Validates the __Host-csrf cookie signature and expiry, then checks that X-CSRF-Token matches the token in the cookie payload. Throws HTTP 403 on failure.

`contentType('application/json')`

Rejects requests without a JSON content type. Throws HTTP 400.

`limitBytes(1024)`

Rejects request bodies larger than 1 KB. Throws HTTP 403 (INVALID_CONTENT_TYPE).

`signUpHandler`

The signup controller. Proxies to IAM /auth/signup.

Request body

string required

The user's email address.

password

string required

The user's password. Validated against the policy by the IAM service.

confirmedPassword

string required

Must match password exactly.

name

string required

The user's display name.

termsConsent

string required

Must be "on" to indicate terms acceptance.

rememberUser

string

When "on", issues a longer-lived refresh token.

Cookies set on success

Cookie	Purpose
`__Secure-a`	Access token
`a-iat`	Access token issued-at timestamp
`session`	Refresh token (forwarded from IAM `Set-Cookie`)

Responses

Status	Meaning
`303`	Signup successful, redirects to `onSuccessRedirect`
`201`	Signup successful, returns JSON (when `Accept: application/json`)
`400`	Validation error
`403`	Banned or XSS detected
`409`	Email already registered
`500`	IAM service error

See Auth Flows for the full signup flow.

Authenticates a user with email and password. On success, sets the same cookies as signup and redirects or returns JSON.

Middleware chain

`verifyCsrfCookie`

Validates the CSRF cookie and X-CSRF-Token header. Throws HTTP 403 on failure.

`contentType('application/json')`

Rejects requests without JSON content type.

`limitBytes(1024)`

Rejects bodies larger than 1 KB.

`loginHandler`

The login controller. Proxies to IAM /login.

Request body

string required

The user's email address.

password

string required

The user's password.

Cookies set on success

Cookie	Purpose
`__Secure-a`	Access token
`a-iat`	Access token issued-at timestamp
`session`	Refresh token (forwarded from IAM `Set-Cookie`)

Responses

Status	Meaning
`303`	Login successful, redirects to `onSuccessRedirect`
`200`	Login successful, returns JSON (when `Accept: application/json`)
`400`	Validation error
`401`	Invalid credentials
`403`	CSRF failure, XSS detected, or banned
`429`	Rate limited
`500`	IAM service error

See Auth Flows for the login pipeline and cookie details.

`POST /logout`

Sends the refresh token to the IAM /auth/logout endpoint, then clears the session cookies and removes the access token from the local LRU cache. Rejects any request body.

Middleware chain

`verifyCsrfCookie`

Validates the CSRF cookie and X-CSRF-Token header. Throws HTTP 403 on failure.

`limitBytes(0)`

Rejects any request body. Throws HTTP 403 (INVALID_CONTENT_TYPE) if a body is present.

`logoutHandler`

The logout controller. Proxies to IAM /auth/logout, clears cookies, and removes the cached access token.

Cookies required

Cookie	Purpose
`session`	The current refresh token to revoke
`__Host-csrf`	CSRF cookie

Cookies cleared on success

__Secure-a, a-iat, session, iat

Responses

Status	Meaning
`303`	Logout successful, redirects to root domain
`200`	Logout successful, returns JSON (when `Accept: application/json`)
`403`	CSRF failure
`403`	Request body present (error code: `INVALID_CONTENT_TYPE`)

See Auth Flows for the full logout sequence.

`useOAuthRoutes`

OAuth and OIDC authorization code flows. Both GET and POST are registered on the callback route to support providers that use response_mode: form_post.

`GET /oauth/:provider`

Looks up the provider by the :provider parameter, generates a PKCE verifier and challenge pair, creates a signed state cookie, and redirects the user to the provider's authorization URL. For OIDC providers, discovers the authorization endpoint via {issuer}/.well-known/openid-configuration.

Middleware chain

No pipeline middleware. The handler (OAuthRedirect) handles provider lookup and validation internally.

URL parameters

provider

string required

The OAuth provider name as configured in oauth.providers. For example, google, github.

Cookies set

Cookie	Purpose
`state{provider}`	Signed state cookie for CSRF protection during the OAuth flow
`pkce_v{provider}`	PKCE code verifier for use at the callback
`nonce{provider}`	Nonce for OIDC ID token verification

Responses

Status	Meaning
`302`	Redirects to the provider authorization URL
`404`	Provider not found in configuration

See OAuth for provider configuration and the PKCE flow.

`GET /oauth/callback/:provider` and `POST /oauth/callback/:provider`

Handles the provider callback. Verifies the state cookie, exchanges the authorization code for tokens, verifies the ID token signature against the provider's JWKS endpoint (OIDC), validates the at_hash claim (OIDC), fetches user info, merges the profile with safeObjectMerge to protect reserved JWT fields, and proxies the result to the IAM service. On success, sets the access and session cookies.

Middleware chain

`OAuthTokensValidations`

Validates the OAuth state cookie and, for OIDC providers, verifies the ID token signature and at_hash claim.

`OAuthSuccessCallBack`

Exchanges the authorization code, fetches user info, merges profile data, and proxies to the IAM service.

URL parameters

provider

string required

The OAuth provider name. Must match the :provider used to initiate the flow.

Cookies set on success

Cookie	Purpose
`__Secure-a`	Access token
`a-iat`	Access token issued-at timestamp
`session`	Refresh token (forwarded from IAM response)

Responses

Status	Meaning
`200`	Success, returns HTML page with `<meta http-equiv="refresh">` and `window.location.replace()` pointing to `redirectUrlOnSuccess`
`302`	Failure (provider error, missing code, token exchange failure), redirects to `redirectUrlOnError`

See OAuth for the full OIDC verification flow and safeObjectMerge behavior.

`magicLinksRouter`

Handles MFA verification, password reset, and email change flows. Registered with the api prefix, so all paths are /api/auth/.... GET routes set Cache-Control: no-store and generate a fresh CSRF cookie for the page that will be rendered. POST routes require CSRF verification.

`GET /api/auth/verify-mfa`

Validates an MFA magic link and returns link metadata. Used by the useMagicLink composable when the reason is MAGIC_LINK_MFA_CHECKS.

Middleware chain

`Cache-Control: no-store`

Prevents caching of the magic link response.

`verifyMfaLink`

Validates the magic link query parameters, verifies the link with the IAM service, and returns link metadata.

Query parameters

token

string required

The temporary JWT token from the magic link URL.

random

string required

The random hash for cryptographic verification.

reason

string required

The link purpose. Must be MAGIC_LINK_MFA_CHECKS.

visitor

string required

The visitor identifier.

Responses

Status	Body	Meaning
`200`	`{ ok: true, date, data: { link: 'MFA Code', reason } }`	Link is valid
`404`	Not found	Invalid, expired, or already-used link

`POST /api/auth/verify-mfa`

Submits an MFA code after the magic link is verified. Verifies the link first, then validates and forwards the code to the IAM service.

Middleware chain

`verifyMfaLink`

Validates and partially consumes the magic link.

`verifyCsrfCookie`

Validates the CSRF cookie and X-CSRF-Token header.

`contentType('application/json')`

Rejects non-JSON content types.

`limitBytes(1024)`

Rejects bodies larger than 1 KB.

`sendMfaCodeHandler`

Forwards the code to the IAM service for verification.

Request body

code

string required

The 7-digit numeric OTP code from the MFA email.

Responses

Status	Meaning
`200`	Code verified
`400`	Malformed code or link parameter mismatch
`401`	Invalid or expired code
`403`	CSRF failure or user banned

See Built-in MFA for the full flow.

`POST /api/auth/password-reset`

Initiates a password reset by sending a signed magic link email to the provided address.

Middleware chain

`verifyCsrfCookie`

Validates the CSRF cookie and X-CSRF-Token header.

`contentType('application/json')`

Rejects non-JSON content types.

`limitBytes(1024)`

Rejects bodies larger than 1 KB.

`restartPasswordHandler`

Forwards the email to IAM /auth/forgot-password. Calls banIp when IAM returns 403.

Request body

string required

The email address associated with the account.

Responses

Status	Meaning
`200`	Reset email sent (always returns success to prevent enumeration)
`403`	CSRF failure or user banned
`429`	Rate limit exceeded

See Password Reset for the full flow.

`GET /api/auth/reset-password`

Validates a password reset magic link and returns link metadata. Used by the useMagicLink composable when the reason is PASSWORD_RESET.

Middleware chain

`Cache-Control: no-store`

Prevents caching.

`verifyTempPasswordLink`

Validates the magic link query parameters and confirms the link with the IAM service.

Query parameters

Same structure as the MFA GET route: token, random, reason, visitor.

Responses

Status	Body	Meaning
`200`	`{ ok: true, date, data: { link: 'Password Reset', reason } }`	Link is valid
`404`	Not found	Invalid or expired link

`POST /api/auth/reset-password`

Submits a new password to complete the reset flow after the magic link is verified.

Middleware chain

`verifyTempPasswordLink`

Validates and partially consumes the password reset magic link.

`verifyCsrfCookie`

Validates the CSRF cookie and X-CSRF-Token header.

`contentType('application/json')`

Rejects non-JSON content types.

`limitBytes(1024)`

Rejects bodies larger than 1 KB.

`sendNewPasswordHandler`

Forwards the new password and link parameters to the IAM service, which validates the token and updates the password hash.

Request body

password

string required

The new password.

confirmedPassword

string required

Must match password exactly.

Responses

Status	Meaning
`200`	Password updated
`400`	Validation error or password mismatch
`403`	CSRF failure or XSS detected
`429`	Rate limit exceeded

See Password Reset for the complete three-step flow.

`POST /api/auth/change-email`

Initiates the email change flow for an authenticated user. Validates the session, generates a 128-byte random token, and calls askForMfaFlow to send a verification email to the user's current address.

Middleware chain

`defineVerifiedCsrfHandler`

Validates the __Host-csrf cookie signature and X-CSRF-Token header. Throws HTTP 403 on failure.

POST assertion

Rejects non-POST requests.

`limitBytes(1_000_000)`

Rejects request bodies larger than 1 MB.

Content-Type check

Rejects requests without Content-Type: application/json.

`initChangeEmailFlow`

Validates the body, generates the random token, calls askForMfaFlow, and returns the result.

Request body

init

string required

Must be the string "1". Acts as an explicit trigger flag.

Responses

Status	Meaning
`200`	Verification email sent: `{ ok: true, data: "Please check your email..." }`
`200`	Session anomaly detected: `{ ok: false, code: "MFA_REQUIRED", reason: "..." }`
`400`	Invalid Content-Type or body validation failure
`403`	CSRF failure

See Email Change for the three-step flow.

`GET /api/auth/update-email`

Validates an email change magic link and returns link metadata. Used by the useMagicLink composable when the reason is change_email.

Middleware chain

`Cache-Control: no-store`

Prevents caching.

`generateCsrfCookie`

Mints a fresh CSRF cookie for the page.

`changeEmailGetAPI`

Validates the magic link query parameters and confirms the link with the IAM service.

Query parameters

Same structure as the MFA GET route: token, random, reason, visitor.

Responses

Status	Body	Meaning
`200`	`{ ok: true, date, data: { link: 'Custom MFA', reason: 'change_email' } }`	Link is valid
`404`	Not found	Invalid or expired link

`POST /api/auth/update-email`

Submits the new email address with the magic link query parameters and verification code to complete the email change. Applies token rotation on success.

Middleware chain

`defineVerifiedCsrfHandler`

Validates the __Host-csrf cookie signature and X-CSRF-Token header. Throws HTTP 403 on failure.

POST assertion

Rejects non-POST requests.

`limitBytes(8_000_000)`

Rejects request bodies larger than 8 MB.

Content-Type check

Rejects requests without Content-Type: application/json.

`updateNewEmail`

Validates the query parameters and body, proxies to IAM /update/email, and applies token rotation.

Query parameters

token

string required

The temporary JWT token from the magic link URL.

random

string required

The random hash for cryptographic verification.

reason

string required

Must be change_email.

visitor

string required

The visitor identifier.

Request body

code

string required

The 7-digit numeric OTP code from the verification email.

string required

The user's current email address.

newEmail

string required

The new email address to change to.

password

string required

The user's current password, confirmed before the change is applied.

Cookies set on success

Cookie	Purpose
`__Secure-a`	New access token
`a-iat`	New access token issued-at timestamp
`session`	New refresh token (forwarded from IAM `Set-Cookie`)

Responses

Status	Meaning
`200`	Email updated, tokens rotated: `{ ok: true, data: "Your email has been successfully updated." }`
`400`	Validation error, invalid code, or link parameter mismatch
`401`	Missing session cookies
`403`	CSRF failure
`500`	IAM service error

See Email Change for the complete flow.

`bounceRouter`

`GET /auth/bounce`

Reads the magic link query parameters from the incoming email URL and redirects to magicLinkRedirectPath with the parameters re-encoded in the query string. This converts an externally-deliverable bounce URL into an internal client-side route.

The bounce path is configurable via magicLinkBouncePath (default /auth/bounce). The destination is controlled by magicLinkRedirectPath.

Query parameters

token

string required

The temporary JWT token.

random

string required

The random hash.

reason

string required

The link purpose, for example MAGIC_LINK_MFA_CHECKS, PASSWORD_RESET, change_email, or a custom reason string.

visitor

string required

The visitor identifier.

Responses

Status	Meaning
`302`	Redirects to `magicLinkRedirectPath` with parameters
`400`	Invalid redirect URL

See Built-in MFA and Password Reset for the full magic link flows that use this bounce route.

Auth status endpoint

`GET /auth/users/authStatus`

Returns the current session state by proxying to the IAM /secret/data endpoint. In manual H3 and Nitro setups, /auth/users/authStatus is the most common path. When using the Nuxt module, the handler is registered automatically at authStatusUrl, whose default value is /api/auth/users/authStatus.

If you want to register the same handler with addServerHandler() instead of importing it from auth-h3client/v1 or auth-h3client/v2, use the auth-h3client/server/auth-status export.

Cookies required

Cookie	Purpose
`__Secure-a`	Access token
`session`	Refresh token
`canary_id`	Visitor fingerprint

Responses

Status	Body	Meaning
`200`	`{ authorized: true, userId, roles, ipAddress, userAgent, date }`	Authenticated
`202`	`{ mfaRequired: 'MFA required', message }`	MFA challenge pending
`401`	`{ authorized: false }`	Not authenticated

See Session Management for how useAuthData reads this endpoint.

API token inventory endpoint

`GET <registerApiRoute.path>`

Returns the authenticated user's API token inventory by proxying to the IAM /api/manage/list-metadata endpoint. This handler is exported as getApiListsController. Register it manually on any GET route, or let the Nuxt module register it automatically by setting registerApiRoute.path.

For Nuxt module wiring and manual addServerHandler() setups, use the auth-h3client/server/api-lists export.

The handler runs the same authenticated session pipeline as getAuthStatusHandler, then removes public_identifier from every token entry before returning the response. The response includes token IDs, names, privilege levels, expiry timestamps, usage counts, and optional IP restrictions.

This route is read-only. If you need to create, revoke, rotate, etc, register your own POST route with defineApiManagementHandler. That wrapper keeps the full IAM token list private on the server, resolves tokenId to publicIdentifier and name, and only exposes the browser-safe fields to your frontend.

Cookies required

Cookie	Purpose
`__Secure-a`	Access token
`session`	Refresh token
`canary_id`	Visitor fingerprint

Responses

Status	Body	Meaning
`200`	`{ ok: true, date, data: { total, totalInvalidTokens, totalValidTokens, tokenList? } }`	Authenticated token inventory
`202`	`{ mfaRequired: 'MFA required', message }`	MFA challenge pending
`401`	`{ authorized: false }`	Not authenticated
`429`	`{ ok: false, reason }`	Rate limited by IAM
`500`	`{ ok: false, reason }`	IAM service error

Each tokenList entry includes the token id, name, created_at, expires_at, restricted_to_ip_address, last_used, usage_count, and privilege_type. The response omits public_identifier.

Route summary

Method	Path	Registrar	Description
`POST`	`/signup`	`useAuthRoutes`	Register a new user account
`POST`	`/login`	`useAuthRoutes`	Authenticate with email and password
`POST`	`/logout`	`useAuthRoutes`	Revoke the refresh token and clear cookies
`GET`	`/oauth/:provider`	`useOAuthRoutes`	Initiate an OAuth authorization code flow
`GET/POST`	`/oauth/callback/:provider`	`useOAuthRoutes`	Handle the OAuth provider callback
`GET`	`/api/auth/verify-mfa`	`magicLinksRouter`	Validate an MFA magic link
`POST`	`/api/auth/verify-mfa`	`magicLinksRouter`	Submit the MFA code
`POST`	`/api/auth/password-reset`	`magicLinksRouter`	Initiate a password reset
`GET`	`/api/auth/reset-password`	`magicLinksRouter`	Validate a password reset magic link
`POST`	`/api/auth/reset-password`	`magicLinksRouter`	Submit the new password
`POST`	`/api/auth/change-email`	`magicLinksRouter`	Initiate an email change flow
`GET`	`/api/auth/update-email`	`magicLinksRouter`	Validate an email change magic link
`POST`	`/api/auth/update-email`	`magicLinksRouter`	Submit the new email address
`GET`	`/auth/bounce`	`bounceRouter`	Redirect incoming magic link email to client route
`GET`	`authStatusUrl` (default `/api/auth/users/authStatus`)	`getAuthStatusHandler` / Module (auto)	Check session state
`GET`	`registerApiRoute.path`	`getApiListsController` / Module (optional auto)	Return the authenticated API token list without `public_identifier`

API Reference

Middleware Reference