Sign Up & Sign In
Project users are scoped to one project. The same email address can exist in different projects as independent accounts.
All examples assume:
Host: app.nomacms.com
project-id: <your-project-uuid>
Content-Type: application/json
Accept: application/jsonSign up
POST /api/auth/signupBody (JSON)
| Field | Type | Required | Rules |
|---|---|---|---|
email | string | Yes | Valid email, max 255 characters |
password | string | Yes | Min 8, max 255 characters |
display_name | string | No | Max 255 characters |
Responses
201 Created — Account created and tokens issued immediately. Body includes access_token, token_type, expires_at, optional refresh_token / refresh_token_expires_at, and user (id, uuid, email, display_name, email_verified_at, metadata).
202 Accepted — Account created but email verification is required before tokens are issued (depends on project policy). Typical body:
message,code(for exampleemail_verification_required)verification_required: trueuser: profile fields without session tokensverification_token: present when your app must deliver verification yourself (use in your email or link flow)
422 — Validation errors (invalid email, password too short, and so on).
Sign in (email and password)
POST /api/auth/loginBody (JSON)
| Field | Type | Required |
|---|---|---|
email | string | Yes |
password | string | Yes |
Responses
200 OK — Body matches the successful sign-up token payload (access_token, user, and so on).
401 — Invalid credentials. Failed attempts are tracked; after too many failures from the same client, the API may respond with 429 and retry_after (see below).
403 — Email verification is required before login is allowed. Body may include verification_token for your delivery flow.
422 — Validation errors.
Sign-in lockout
After repeated failed attempts (same project, email, and IP), further attempts return 429 with a message such as Invalid credentials. and retry_after (seconds until the client can try again).
Email verification helpers
Resend verification
POST /api/auth/verify-email/resendBody: { "email": "[email protected]" }
- If a new token is issued, the response can include
verification_tokenand a message telling you to send mail from your application. - During cooldown, the response may include
resend_cooldown_activeandretry_after_secondsinstead of a new token.
Confirm verification
POST /api/auth/verify-email/confirmBody: { "token": "<verification-token>" }
200 OK — Email marked verified; user object returned.
422 — Invalid or expired verification token.
JavaScript SDK
import { createClient } from "@nomacms/js-sdk"
const noma = createClient({
projectId: process.env.NOMA_PROJECT_ID!,
projectUserAuth: { autoRefresh: true },
})
await noma.signUp({
email: "[email protected]",
password: "secret1234",
display_name: "Ada",
})
await noma.signInWithPassword({
email: "[email protected]",
password: "secret1234",
})If you use projectUserAuth.tokenStorage, successful sign-in updates stored tokens automatically. See Installation & Setup.
Related
- Overview — How project auth relates to Content API keys.
- Social Login — Provider
id_tokensign-in. - Session Management — Refresh and sign-out.