Qeet Docs
Authentication

Sign-up & passwords

Create users with email + password (Argon2id), verify email and phone, and handle password reset — all enumeration-safe.

Sign-up creates a user and a personal tenant, then optionally walks them through email/phone verification. Passwords are hashed with Argon2id (OWASP parameters), with a format-detecting verify that rehashes on login to migrate legacy bcrypt hashes transparently.

Create an account

POST/v1/auth/signupSign up with email + password
terminal
Bash
curl -X POST https://api.qeetid.com/v1/auth/signup \
  -H "Content-Type: application/json" \
  -d '{"email":"alex@acme.com","password":"a-strong-passphrase"}'

Email is globally unique. A successful signup issues a token pair (see Sessions).

Reject breached passwords

Enable breached-password rejection in the tenant auth policy. Qeet ID checks the password against HaveIBeenPwned using k-anonymity (only a hash prefix leaves your infrastructure) and fails open if the service is unreachable.

Verify email & phone

Verification uses single-use, TTL-bound 6-digit OTPs.

POST/v1/users/{id}/verify/email/startSend email OTP
POST/v1/users/{id}/verify/email/confirmConfirm email OTP
POST/v1/users/{id}/verify/phone/startSend SMS OTP
POST/v1/users/{id}/verify/phone/confirmConfirm phone OTP

Deliverability is an ops dependency

SMTP and Twilio senders are wired in code. Production email/SMS delivery needs a sending domain with SPF/DKIM/DMARC (and bounce/complaint handling) configured for your deployment.

Password reset

Reset is enumeration-safe: starting a reset always returns 202, whether or not the email exists. Completing a reset revokes all of the user's sessions.

POST/v1/auth/forgot-passwordStart reset (always 202)
POST/v1/auth/reset-passwordComplete reset
Bash
curl -X POST https://api.qeetid.com/v1/auth/forgot-password \
  -H "Content-Type: application/json" \
  -d '{"email":"alex@acme.com"}'
# → 202 Accepted (no account-existence signal)

Invite users into a tenant

For B2B flows, invite people into a tenant rather than self-signup. Accepting an invite creates the user if needed and assigns the configured role.

POST/v1/invitesCreate an invite
POST/v1/invites/acceptAccept an invite

Admin user management

Admins manage users directly, including set-password and soft-delete with a recycle bin (restore / purge).

POST/v1/usersCreate a user
PUT/v1/users/{id}/passwordSet a user's password
POST/v1/users/{id}/restoreRestore a soft-deleted user
TypeScript
const user = await qeetid.users.create({ email: "alex@acme.com", display_name: "Alex Chen" });

Authentication

Password, magic links, passkeys/WebAuthn, and social login — all configurable per tenant, plus an overview of enterprise SSO.

Sign-in

Password login, the token pair it returns, and how to verify the access token against the public JWKS on your server.

On this page

Create an accountVerify email & phonePassword resetInvite users into a tenantAdmin user management