Overview
Authentication is phone-first. Every user signs up with a Nigerian phone number, a password, and a one-time OTP to prove the number is real.
All protected endpoints require:
Authorization: Bearer <access_token>
Signup flow
Login flow
Session tokens
| Field | TTL | Usage |
|---|
access_token | 1 hour | Bearer token for all protected endpoints |
refresh_token | 30 days | Exchange for a fresh access token via POST /auth-refresh |
Password reset flow
POST /auth-forgot-password { phone }
→ OTP sent (silent if no account — prevents enumeration)
POST /auth-reset-password { phone, otp_code, password, confirm_password }
→ Password updated, all sessions revoked globally
After a successful password reset, all existing sessions on all devices are immediately invalidated. The user must log in again.
+2348012345678 ✓08012345678 ✓
