SavePoint

Authentication Portal

API Documentation

Back to Home

API Documentation

Complete reference for SavePoint Authentication API

Overview

The SavePoint Authentication API is built on Better Auth and provides enterprise-grade authentication services including OAuth 2.0, OpenID Connect, WebAuthn, and traditional email/password authentication.

Base URL

https://auth.savepoint.com.au

REST API

RESTful endpoints for authentication, user management, and session handling

OAuth 2.0 / OIDC

Standard OAuth 2.0 and OpenID Connect provider for third-party integrations

Authentication

API Authentication

The API supports multiple authentication methods:

  • Session Cookies: For web applications using the same domain
  • Bearer Tokens: For API access and mobile applications
  • API Keys: For server-to-server communication

Example API Request

// Using Bearer Token
fetch('/api/auth/session', {
  headers: {
    'Authorization': 'Bearer <your-token>',
    'Content-Type': 'application/json'
  }
})

// Using API Key
fetch('/api/auth/user', {
  headers: {
    'x-api-key': 'sp_your_api_key_here',
    'Content-Type': 'application/json'
  }
})

Core Endpoints

Authentication

POST/api/auth/sign-in

Sign in with email and password

Show example
POST /api/auth/sign-in
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "secure_password",
  "callbackURL": "/dashboard"
}
POST/api/auth/sign-up

Create a new user account

Show example
POST /api/auth/sign-up
Content-Type: application/json

{
  "email": "user@example.com",
  "password": "secure_password",
  "name": "John Doe"
}
GET/api/auth/session

Get current user session information

POST/api/auth/sign-out

Sign out and invalidate session

Social Authentication

GET/api/auth/sign-in/github

Initiate GitHub OAuth flow

GET/api/auth/sign-in/google

Initiate Google OAuth flow

GET/api/auth/callback/:provider

OAuth callback endpoint for social providers

WebAuthn / Passkeys

POST/api/auth/passkey/register

Register a new passkey for the user

POST/api/auth/passkey/authenticate

Authenticate using a passkey

GET/api/auth/passkey/list

List user's registered passkeys

Two-Factor Authentication

POST/api/auth/totp/setup

Set up TOTP two-factor authentication

POST/api/auth/totp/verify

Verify TOTP code

GET/api/auth/totp/backup-codes

Generate backup codes

OAuth 2.0 / OpenID Connect

SavePoint Authentication Portal acts as an OAuth 2.0 Authorization Server and OpenID Connect Provider.

Well-Known Endpoints

  • /.well-known/oauth-authorization-server - OAuth 2.0 metadata
  • /.well-known/openid_configuration - OpenID Connect discovery
GET/oauth/authorize

OAuth 2.0 authorization endpoint

Query Parameters:

  • client_id - Application client ID
  • response_type - "code" for authorization code flow
  • scope - Requested scopes (e.g., "openid profile email")
  • redirect_uri - Callback URL
  • state - CSRF protection parameter
POST/oauth/token

Exchange authorization code for tokens

GET/oauth/userinfo

Get user information using access token

API Key Management

For server-to-server communication, use API keys with the prefix sp_.

POST/api/auth/api-key

Create a new API key

GET/api/auth/api-key

List user's API keys

DELETE/api/auth/api-key/:id

Revoke an API key

Rate Limiting

The API implements rate limiting to ensure fair usage and protect against abuse.

Authentication Endpoints

  • • 10 requests per minute per IP
  • • Applies to login, signup, password reset
  • • Stricter limits for failed attempts

API Key Requests

  • • 100 requests per minute per key
  • • Higher limits available for enterprise
  • • Burst capacity for peak usage

Rate Limit Headers

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640995200

Error Handling

The API uses standard HTTP status codes and returns detailed error information in JSON format.

Error Response Format

{
  "error": {
    "code": "INVALID_CREDENTIALS",
    "message": "The provided credentials are invalid",
    "details": {
      "field": "password",
      "reason": "Password does not match"
    }
  }
}

4xx Client Errors

  • • 400 - Bad Request
  • • 401 - Unauthorized
  • • 403 - Forbidden
  • • 404 - Not Found
  • • 429 - Too Many Requests

5xx Server Errors

  • • 500 - Internal Server Error
  • • 502 - Bad Gateway
  • • 503 - Service Unavailable
  • • 504 - Gateway Timeout

SDKs and Libraries

Use these recommended libraries for easier integration with SavePoint Authentication:

JavaScript / TypeScript

npm install @better-auth/client

Official Better Auth client library with TypeScript support

React / Next.js

npm install @better-auth/react

React hooks and components for seamless integration

Quick Start Example

import { createAuthClient } from '@better-auth/client'

const authClient = createAuthClient({
  baseURL: 'https://auth.savepoint.com.au'
})

// Sign in
await authClient.signIn.email({
  email: 'user@example.com',
  password: 'password'
})

// Get session
const session = await authClient.getSession()
HomeUser GuideOAuth GuideSecurity Policy