Account

POST /account/*

Email-token flows: activation, password reset, email change. Tokens are single-use and delivered by email only — with MAIL_MAILER=log, scrape them from the backend's storage/logs/laravel.log.

Activate account

POST /account/activate (no auth) — marks the email verified. The token comes from the activation email in the backend mail log (TTL 48h). Token errors: TOKEN_INVALID / TOKEN_ALREADY_USED / TOKEN_EXPIRED, all 422.

From the {FRONTEND_URL}/activate?token=… link in storage/logs/laravel.log

Password reset — ask

POST /account/ask-to-update-password (no auth) — ALWAYS returns 200 OK, even for unknown emails, so account existence never leaks. If the account exists, a reset email (token TTL 1h) lands in the mail log.

Password reset — complete

POST /account/update-password (no auth) — sets the new password and revokes ALL bearer tokens for the account.

From the reset email (TTL 1h)

8–200 characters

Email change — ask

POST /account/ask-to-update-email (requires auth) — sends a confirmation email to the NEW address (token TTL 24h). EMAIL_ALREADY_EXISTS 422 if the new email is taken.

Checking session…

Email change — complete

POST /account/update-email (no auth) — sets the new email and marks it verified. If the new email got taken in the meantime: EMAIL_ALREADY_EXISTS 422 and the token is NOT burned.

From the confirmation email sent to the new address (TTL 24h)