Authentication
FastCMS provides a comprehensive authentication system with JWT, OAuth, 2FA, OTP passwordless login, session management, and support for custom user collections.
Authentication
FastCMS provides a comprehensive authentication system with multiple configurable auth methods and support for custom user collections.
Users
Manage user accounts and permissions
| User | Role | Status | Created | Actions | |
|---|---|---|---|---|---|
A Admin User usr_admin | admin@example.com | admin | Verified | 2026-01-15 | |
J John Smith usr_john | john@acme.com | user | Verified | 2026-02-01 | |
S Sara Jones usr_sara | sara@startup.io | user | Verified | 2026-02-10 | |
D Dev Account usr_dev | dev@company.com | admin | Verified | 2026-02-14 | |
N No name usr_new | new@user.net | user | Unverified | 2026-03-01 |
Authentication Methods
| Method | Setting | Description |
|---|---|---|
| Password | password_auth_enabled | Traditional email/password login |
| OAuth2 | oauth_enabled | Social login (Google, GitHub, etc.) |
| OTP | otp_enabled | Email code authentication |
| MFA | mfa_enabled | Multi-factor authentication |
1. Built-in Admin Authentication
The users table is for admin dashboard access only.
Endpoints:
| Endpoint | Method | Description |
|---|---|---|
/api/v1/auth/login | POST | Admin login |
/api/v1/auth/register | POST | Create admin users |
/api/v1/auth/refresh | POST | Refresh access token |
/api/v1/auth/me | GET | Get current user info |
/api/v1/auth/logout | POST | Logout (invalidate tokens) |
Login Example:
curl -X POST http://localhost:8000/api/v1/auth/login \
-H "Content-Type: application/json" \
-d '{
"email": "admin@example.com",
"password": "your-password"
}'Response:
{
"access_token": "eyJhbGc...",
"refresh_token": "eyJhbGc...",
"token_type": "bearer",
"user": {
"id": "uuid",
"email": "admin@example.com",
"role": "admin",
"verified": true
}
}2. Auth Collections (Custom User Systems)
Create auth collections for your own user systems — customers, vendors, students, etc.
Creating an Auth Collection
curl -X POST http://localhost:8000/api/v1/collections \
-H "Content-Type: application/json" \
-H "Authorization: Bearer ADMIN_TOKEN" \
-d '{
"name": "customers",
"type": "auth",
"schema": {
"fields": [
{"name": "company", "type": "text"},
{"name": "phone", "type": "text"}
]
}
}'Auth Collection Endpoints
For a collection named customers:
| Endpoint | Method | Description |
|---|---|---|
/api/v1/collections/customers/auth/register | POST | Customer registration |
/api/v1/collections/customers/auth/login | POST | Customer login |
/api/v1/collections/customers/auth/refresh | POST | Refresh token |
/api/v1/collections/customers/auth/me | GET | Get current customer |
/api/v1/collections/customers/auth/me/change-password | POST | Change password |
/api/v1/collections/customers/auth/me/request-email-change | POST | Request email change |
/api/v1/collections/customers/auth/me/confirm-email-change | POST | Confirm email change |
/api/v1/collections/customers/auth/otp/request | POST | Request OTP code |
/api/v1/collections/customers/auth/otp/verify | POST | Verify OTP |
/api/v1/collections/customers/auth/sessions | GET | List active sessions |
/api/v1/collections/customers/auth/sessions/{id} | DELETE | Revoke a session |
/api/v1/collections/customers/auth/sessions/all | DELETE | Logout all devices |
Registration:
curl -X POST http://localhost:8000/api/v1/collections/customers/auth/register \
-H "Content-Type: application/json" \
-d '{
"email": "customer@example.com",
"password": "securepassword123",
"company": "Acme Inc",
"phone": "+1234567890"
}'OTP / Passwordless Login
OTP (One-Time Password) lets users log in with a code sent to their email — no password required.
Enable it per-collection in settings (otp_enabled: true).
Step 1: Request a code
curl -X POST http://localhost:8000/api/v1/collections/customers/auth/otp/request \
-H "Content-Type: application/json" \
-d '{"email": "customer@example.com"}'FastCMS sends a 6-digit code to the email address. Codes are valid for 10 minutes.
Step 2: Verify the code
curl -X POST http://localhost:8000/api/v1/collections/customers/auth/otp/verify \
-H "Content-Type: application/json" \
-d '{
"email": "customer@example.com",
"code": "483921"
}'Response: Same token format as regular login (access_token, refresh_token, user).
OTP and password login can coexist — both are available when enabled.
Email Change
Users can update their email address with a two-step verified flow:
Step 1: Request the change (must be authenticated)
curl -X POST http://localhost:8000/api/v1/collections/customers/auth/me/request-email-change \
-H "Authorization: Bearer ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"new_email": "new@example.com",
"password": "current_password"
}'FastCMS sends a verification link to the new email address.
Step 2: Confirm with the token from the email
curl -X POST http://localhost:8000/api/v1/collections/customers/auth/me/confirm-email-change \
-H "Content-Type: application/json" \
-d '{"token": "verification-token-from-email"}'The email is updated only after this confirmation step.
Session Management
Every login creates a tracked session. Users can view and revoke active sessions across devices.
List active sessions:
curl http://localhost:8000/api/v1/collections/customers/auth/sessions \
-H "Authorization: Bearer ACCESS_TOKEN"[
{
"id": "session-uuid",
"created": "2026-03-01T10:00:00Z",
"last_used": "2026-03-02T08:30:00Z",
"user_agent": "Mozilla/5.0..."
}
]Revoke a specific session:
curl -X DELETE \
http://localhost:8000/api/v1/collections/customers/auth/sessions/session-uuid \
-H "Authorization: Bearer ACCESS_TOKEN"Logout all devices:
curl -X DELETE \
http://localhost:8000/api/v1/collections/customers/auth/sessions/all \
-H "Authorization: Bearer ACCESS_TOKEN"Using Authentication Headers
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...const response = await fetch('/api/v1/collections/products/records', {
headers: {
'Authorization': `Bearer ${accessToken}`,
'Content-Type': 'application/json'
}
});Token Refresh
When the access token expires, use the refresh token:
curl -X POST http://localhost:8000/api/v1/auth/refresh \
-H "Content-Type: application/json" \
-d '{"refresh_token": "eyJhbGc..."}'Authentication Settings
Configure via Admin > Settings > Authentication or via API:
Auth Methods
| Setting | Default | Description |
|---|---|---|
password_auth_enabled | true | Enable password authentication |
oauth_enabled | true | Enable OAuth2 |
otp_enabled | false | Enable OTP (email code) |
mfa_enabled | false | Enable Multi-Factor Authentication |
Password Requirements
| Setting | Default | Description |
|---|---|---|
password_min_length | 8 | Minimum password length |
password_require_upper | false | Require uppercase letter |
password_require_number | false | Require number |
password_require_special | false | Require special character |
Token Settings
| Setting | Default | Description |
|---|---|---|
token_expiry_hours | 24 | Access token expiry |
refresh_token_expiry_days | 7 | Refresh token expiry |
Security Best Practices
- Use HTTPS — always use HTTPS in production
- Token Storage — store tokens in httpOnly cookies
- Short Expiry — use short access token expiry with refresh tokens
- Password Requirements — enable complexity requirements for production
- Rate Limiting — enabled by default to prevent brute force attacks