User Registration & Auth

Each Partner API user is a Qwik-managed identity scoped to your organization. A user registered under your org cannot sign into the Qwik consumer app, and Qwik consumers cannot use your endpoints. An email/phone already registered on the main Qwik app is rejected.

POST/partner/auth/register

{ "userId": "firebase-uid", "email": "john@example.com", "phone_number": "+15551234567", "first_name": "John", "last_name": "Doe" }

POST/partner/auth/login

Verifies the password, then sends a one-time code to the matching email/phone. Does not return a session yet.

Body: password (required) + either email or phone_number.

{
  "message": "OTP sent",
  "userId": "..."
}

POST/partner/auth/verify-otp

Exchanges the OTP for a session token.

Body: code (required, ≥4 chars) + either email or phone_number.

{
  "sessionToken": "eyJhbGciOiJSUzI1NiIsInR5cCI6...",
  "expiresAt": 1750000000000,
  "user": { "id": "...", "email": "...", "phone_number": "...", "first_name": "John", "last_name": "Doe", "kyc_status": "pending" }
}

POST/partner/auth/forgot-password/send-otp

Body: email or phone_number. Always returns the same generic message (to avoid leaking which accounts exist):

{
  "message": "If an account exists for that contact, a password reset OTP has been sent."
}

POST/partner/auth/forgot-password/reset

Body: (email or phone_number) + code (≥4) + new_password (≥6).

{
  "message": "Password updated successfully"
}

POST/partner/auth/change-password

Body: current_password, new_password (≥6, must differ from current).

{
  "message": "Password updated successfully"
}

POST/partner/auth/logout

Revokes the current session.

{
  "message": "Logged out successfully"
}