Account
POST /account/*Email-token flows: activation, password reset, email change. Tokens are single-use and delivered by email only — with MAIL_MAILER=log, scrape them from the backend's storage/logs/laravel.log.
Activate account
POST /account/activate (no auth) — marks the email verified. The token comes from the activation email in the backend mail log (TTL 48h). Token errors: TOKEN_INVALID / TOKEN_ALREADY_USED / TOKEN_EXPIRED, all 422.
Password reset — ask
POST /account/ask-to-update-password (no auth) — ALWAYS returns 200 OK, even for unknown emails, so account existence never leaks. If the account exists, a reset email (token TTL 1h) lands in the mail log.
Password reset — complete
POST /account/update-password (no auth) — sets the new password and revokes ALL bearer tokens for the account.
Email change — ask
POST /account/ask-to-update-email (requires auth) — sends a confirmation email to the NEW address (token TTL 24h). EMAIL_ALREADY_EXISTS 422 if the new email is taken.
Checking session…
Email change — complete
POST /account/update-email (no auth) — sets the new email and marks it verified. If the new email got taken in the meantime: EMAIL_ALREADY_EXISTS 422 and the token is NOT burned.