Authentication Service
Short Description: The Authentication Service handles user registration, login, OTP verification, password reset, and token management for the NextGate social commerce platform. This service provides secure account management with multi-channel OTP verification and JWT-based authentication.
Hints:
- All OTP codes are 6-digit numbers with 10-minute expiration
- Rate limiting: Maximum 5 OTP requests per 10-minute window
- Resend cooldown: 2 minutes between resend attempts
- JWT tokens include access tokens (short-lived) and refresh tokens (long-lived)
- Phone numbers must be in international E.164 format (+1234567890)
- Passwords must meet strong security requirements (8+ chars, uppercase, lowercase, digit, special character)
Endpoints
1. Account Registration
Purpose: Register a new user account and initiate OTP verification process
Endpoint: POST https://apinexgate.glueauth.com/api/v1/auth/register
Access Level: 🌐 Public (No authentication required)
Authentication: None
Request Headers:
| Header | Type | Required | Description |
|---|---|---|---|
| Content-Type | string | Yes | Must be "application/json" |
Request JSON Sample:
{
"phoneNumber": "+255712345678",
"password": "SecurePass123!",
"email": "john.doe@example.com",
"firstName": "John",
"lastName": "Doe",
"middleName": "Michael",
"verificationChannel": "EMAIL"
}
Request Body Parameters:
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| phoneNumber | string | Yes | User's phone number in international format | Must match E.164 format: +[country][number] (1-14 digits after +) |
| password | string | Yes | User's password | Min 8 chars, must contain uppercase, lowercase, digit, and special character (@$!%*?&#) |
| string | Yes | User's email address | Must be valid email format | |
| firstName | string | Yes | User's first name | Max 30 characters, cannot be blank |
| lastName | string | Yes | User's last name | Max 30 characters, cannot be blank |
| middleName | string | Yes | User's middle name | Max 30 characters, cannot be blank |
| verificationChannel | string | Yes | OTP delivery method | enum: EMAIL, SMS, WHATSAPP, VOICE_CALL, PUSH_NOTIFICATION, EMAIL_AND_SMS, SMS_AND_WHATSAPP, ALL_CHANNELS |
Response JSON Sample:
{
"success": true,
"httpStatus": "OK",
"message": "Registration successful",
"action_time": "2025-09-23T10:30:00",
"data": {
"tempToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"message": "OTP has been sent to your email",
"expireAt": "2025-09-23T10:40:00"
}
}
Response Fields:
| Field | Description |
|---|---|
| success | Boolean indicating operation success (always true for successful requests) |
| httpStatus | HTTP status code as string |
| message | Human-readable success message |
| action_time | ISO 8601 timestamp of when the response was generated |
| data.tempToken | JWT temporary token required for OTP verification (expires in 10 minutes) |
| data.message | Specific message about OTP delivery channel |
| data.expireAt | ISO 8601 timestamp when the temp token expires |
Error Responses:
400 Bad Request: Invalid request data, validation failures, or user already exists422 Unprocessable Entity: Business logic validation errors (e.g., duplicate email/phone)500 Internal Server Error: Server-side processing errors
Error Response Sample:
{
"success": false,
"httpStatus": "BAD_REQUEST",
"message": "User with provided credentials already exist, please login",
"action_time": "2025-09-23T10:30:00",
"data": "User with provided credentials already exist, please login"
}
2. Verify Registration OTP
Purpose: Complete user registration by verifying the OTP code sent during registration
Endpoint: POST https://apinexgate.glueauth.com/api/v1/auth/verify-otp
Access Level: 🌐 Public (Requires temporary token from registration)
Authentication: None (uses tempToken from registration response)
Request Headers:
| Header | Type | Required | Description |
|---|---|---|---|
| Content-Type | string | Yes | Must be "application/json" |
Request JSON Sample:
{
"tempToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"otpCode": "123456"
}
Request Body Parameters:
| Parameter | Type | Required | Description | Validation |
|---|---|---|---|---|
| tempToken | string | Yes | Temporary JWT token from registration response | Must be valid non-expired temp token |
| otpCode | string | Yes | 6-digit OTP code received via chosen channel | Must be exactly 6 digits (\d{6}) |
Response JSON Sample:
{
"success": true,
"httpStatus": "OK",
"message": "Registration completed successfully. You are now logged in.",
"action_time": "2025-09-23T10:35:00",
"data": {
"accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"refreshToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
"userData": {
"id": "123e4567-e89b-12d3-a456-426614174000",
"userName": "johndoe-a1B2c3D",
"firstName": "John",
"lastName": "Doe",
"middleName": "Michael",
"email": "john.doe@example.com",
"isVerified": true,
"isEmailVerified": true,
"isPhoneVerified": false,
"roles": ["ROLE_NORMAL_USER"],
"createdAt": "2025-09-23T10:30:00",
"editedAt": "2025-09-23T10:35:00"
}
}
}
Response Fields:
| Field | Description |
|---|---|
| success | Boolean indicating operation success |
| httpStatus | HTTP status code as string |
| message | Success message confirming registration completion |
| action_time | ISO 8601 timestamp of response generation |
| data.accessToken | JWT access token for API authentication (shorter lifespan) |
| data.refreshToken | JWT refresh token for obtaining new access tokens (longer lifespan) |
| data.userData.id | Unique user identifier (UUID) |
| data.userData.userName | Auto-generated username (email prefix + random suffix) |
| data.userData.firstName | User's first name |
| data.userData.lastName | User's last name |
| data.userData.middleName | User's middle name |
| data.userData.email | User's email address |
| data.userData.isVerified | Overall account verification status |
| data.userData.isEmailVerified | Email verification status |
| data.userData.isPhoneVerified | Phone verification status |
| data.userData.roles | Array of user roles/permissions |
| data.userData.createdAt | Account creation timestamp |
| data.userData.editedAt | Last modification timestamp |
Error Responses:
400 Bad Request: Invalid OTP code format or missing required fields401 Unauthorized: Invalid or expired temporary token422 Unprocessable Entity: OTP verification failed, max attempts exceeded, or token already used500 Internal Server Error: Server-side processing errors
Quick Reference Guide
Common HTTP Status Codes
200 OK: Successful GET/PUT/PATCH request201 Created: Successful POST request204 No Content: Successful DELETE request400 Bad Request: Invalid request data401 Unauthorized: Authentication required/failed403 Forbidden: Insufficient permissions404 Not Found: Resource not found422 Unprocessable Entity: Validation errors429 Too Many Requests: Rate limit exceeded500 Internal Server Error: Server error
Authentication Types
- Bearer Token: Include
Authorization: Bearer your_access_tokenin headers - Temporary Token: Used in request body for OTP verification flows
- Refresh Token: Used to obtain new access tokens when they expire
- None: No authentication required for public endpoints
Data Format Standards
- Dates: Use ISO 8601 format (2025-09-23T10:30:00Z)
- Phone Numbers: E.164 international format (+1234567890)
- UUIDs: Standard UUID format (123e4567-e89b-12d3-a456-426614174000)
- OTP Codes: 6-digit numeric strings
- Tokens: JWT format with proper expiration handling