Core Auth APIs
POST /api/auth_login.phpPOST /api/auth_factor_challenge.phpPOST /api/auth_factor_verify.phpPOST /api/auth_password_reset_request.phpPOST /api/auth_password_reset_complete.php
Auth2
Developer Reference
Public integration guide for teams connecting apps to Auth2.
Getting Started
Connect your app to Auth2
Use Auth2 as user authenticator to your WESB App.
Service APIs
POST /api/service/user_resolve.phpPOST /api/firebase_custom_token.phpPOST /api/auth_api_key_verify.php- Use
X-Service-Keyfor service calls.
App Integration Rules
- Add
auth_user_idto each appuserstable. - Keep credentials only in Auth2.
- Keep app-specific fields only in each app DB.
- Disable public registration in internal apps.
Endpoint Explanations
What each endpoint does and when you should use it.
| Endpoint | What It Does | Use It For |
|---|---|---|
POST /api/auth_login.php |
Validates email/password for a specific site_key. |
Primary login from web/mobile apps. |
POST /api/auth_factor_challenge.php |
Resends or issues the second-factor challenge token/code. | 2FA follow-up step after login requires additional factor. |
POST /api/auth_factor_verify.php |
Verifies submitted OTP/TOTP for the active login challenge. | Completing 2FA and finalizing login. |
POST /api/auth_password_reset_request.php |
Creates reset token and sends reset email instructions. | Forgot-password flow in connected apps. |
POST /api/auth_password_reset_complete.php |
Consumes reset token and writes the new password hash. | Final step for password reset. |
POST /api/admin/user_create.php |
Creates a new identity user in Auth2 central users table. | HR/admin onboarding from Auth2 only. |
POST /api/admin/user_update.php |
Updates identity fields such as name, status, or password. | Central account maintenance. |
GET /api/admin/user_list.php |
Returns current Auth2 identity users. | Admin UI listing and lookup. |
POST /api/admin/user_disable.php |
Soft-disables an identity by changing status. | Blocking or suspending staff account access. |
POST /api/admin/site_create.php |
Registers a new site/app and initial auth settings. | Onboarding new Weststar systems into Auth2. |
POST /api/admin/site_update.php |
Updates site metadata such as name, base URL, and status. | Site maintenance changes. |
POST /api/admin/policy_update.php |
Updates per-site auth mode and security flags. | Enable/disable 2FA or adjust login policy. |
GET /api/admin/audit_list.php |
Lists audit events for admin and auth actions. | Security review and operation traceability. |
POST /api/service/user_resolve.php |
Resolves canonical identity payload by ID/email. | App backend user upsert and synchronization. |
POST /api/firebase_custom_token.php |
Issues Firebase custom token (service-key protected). | Realtime/mobile integration with Firebase auth context. |
POST /api/auth_api_key_verify.php |
Validates service API key/token against Auth2 records. | Service-to-service trust checks. |