Authentication
The API uses session-based authentication via Better Auth.
POST /api/auth/loginContent-Type: application/json
{ "email": "user@example.com", "password": "your-password"}Response
Section titled “Response”{ "user": { "id": "user_abc123", "email": "user@example.com", "name": "Your Name" }, "session": { "id": "session_xyz789", "expiresAt": "2026-03-01T00:00:00Z" }}Session Cookies
Section titled “Session Cookies”The response includes Set-Cookie headers. Store and send these with subsequent requests.
Logout
Section titled “Logout”POST /api/auth/logoutInvalidates the current session.
Check Session
Section titled “Check Session”GET /api/auth/sessionReturns current user if authenticated.
Using Sessions
Section titled “Using Sessions”Include cookies in requests:
// JavaScript fetchconst response = await fetch('/api/admin/products', { credentials: 'include' // Include cookies});# cURL with cookiescurl -b cookies.txt https://pintas.turbospark.my/api/admin/productsRate Limiting
Section titled “Rate Limiting”Auth endpoints are rate limited:
| Endpoint | Limit |
|---|---|
/api/auth/login | 5 attempts per 15 min |
/api/auth/signup | 3 attempts per hour |
/api/auth/forgot-password | 3 per hour |
After limit exceeded:
{ "error": "Too many requests. Please try again later."}Security Best Practices
Section titled “Security Best Practices”- Use HTTPS - Always
- Don’t share tokens - Keep credentials secure
- Logout when done - Invalidate sessions
- Monitor for breaches - Check for unauthorized access