> ## Documentation Index
> Fetch the complete documentation index at: https://docs.thig.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Authenticate with the thig.ai API

# Authentication

## Session Authentication

The primary authentication method is session-based via NextAuth. When signed in through the web application, API requests from the same browser session are automatically authenticated via cookies.

## API Key Authentication

Organization administrators can create REST API keys for programmatic access. Keys follow the format `thig_` + 40 hexadecimal characters.

Include the API key in the `Authorization` header:

```bash theme={null}
curl -H "Authorization: Bearer thig_a1b2c3d4e5f6..." \
  https://app.thig.ai/api/projects
```

**All 225+ API endpoints** support API key authentication — no special configuration needed per endpoint.

### Key Management

Create and manage API keys at **Settings > Developer** (`/admin/settings/developer`) or via the API:

```bash theme={null}
# Create a key
curl -X POST https://app.thig.ai/api/admin/rest-api-keys \
  -H "Authorization: Bearer thig_EXISTING_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "CI/CD Pipeline", "expiresAt": "2027-01-01T00:00:00Z"}'

# List keys
curl -H "Authorization: Bearer thig_YOUR_KEY" \
  https://app.thig.ai/api/admin/rest-api-keys
```

### Rate Limits

API keys are rate-limited to **60 requests per minute** by default. Enterprise plans can configure custom per-key limits.

### Plan Availability

| Plan         | API Keys      |
| ------------ | ------------- |
| Free         | Not available |
| Starter      | 2 keys        |
| Professional | 10 keys       |
| Enterprise   | Unlimited     |

## Auth Endpoints

### Register

<ParamField body="name" type="string" required>
  Full name of the user
</ParamField>

<ParamField body="email" type="string" required>
  Email address
</ParamField>

<ParamField body="password" type="string" required>
  Password (min 8 chars, must include uppercase, lowercase, and digit)
</ParamField>

<ParamField body="timezone" type="string">
  IANA timezone string (e.g., "America/New\_York")
</ParamField>

<ParamField body="inviteToken" type="string">
  Optional invitation token to join an organization
</ParamField>

<CodeGroup>
  ```bash curl theme={null}
  curl -X POST https://app.thig.ai/api/auth/register \
    -H "Content-Type: application/json" \
    -d '{
      "name": "Jane Doe",
      "email": "jane@example.com",
      "password": "SecurePass1",
      "timezone": "America/New_York"
    }'
  ```

  ```javascript JavaScript theme={null}
  const res = await fetch('https://app.thig.ai/api/auth/register', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      name: 'Jane Doe',
      email: 'jane@example.com',
      password: 'SecurePass1',
      timezone: 'America/New_York'
    })
  });
  const { user } = await res.json();
  ```
</CodeGroup>

### Sign Out

<CodeGroup>
  ```bash curl theme={null}
  curl -X POST https://app.thig.ai/api/auth/sign-out \
    -H "Cookie: next-auth.session-token=YOUR_SESSION"
  ```

  ```javascript JavaScript theme={null}
  await fetch('https://app.thig.ai/api/auth/sign-out', {
    method: 'POST',
    credentials: 'include'
  });
  ```
</CodeGroup>

### Forgot Password

<CodeGroup>
  ```bash curl theme={null}
  curl -X POST https://app.thig.ai/api/auth/forgot-password \
    -H "Content-Type: application/json" \
    -d '{"email": "jane@example.com"}'
  ```

  ```javascript JavaScript theme={null}
  await fetch('https://app.thig.ai/api/auth/forgot-password', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ email: 'jane@example.com' })
  });
  // Always returns 200 to prevent email enumeration
  ```
</CodeGroup>

### Reset Password

<CodeGroup>
  ```bash curl theme={null}
  curl -X POST https://app.thig.ai/api/auth/reset-password \
    -H "Content-Type: application/json" \
    -d '{
      "token": "reset-token-from-email",
      "password": "NewSecurePass1",
      "confirmPassword": "NewSecurePass1"
    }'
  ```

  ```javascript JavaScript theme={null}
  await fetch('https://app.thig.ai/api/auth/reset-password', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({
      token: 'reset-token-from-email',
      password: 'NewSecurePass1',
      confirmPassword: 'NewSecurePass1'
    })
  });
  ```
</CodeGroup>

### Change Password (Authenticated)

<CodeGroup>
  ```bash curl theme={null}
  curl -X POST https://app.thig.ai/api/auth/change-password \
    -H "Content-Type: application/json" \
    -H "Cookie: next-auth.session-token=YOUR_SESSION" \
    -d '{"currentPassword": "OldPass1", "newPassword": "NewPass1"}'
  ```

  ```javascript JavaScript theme={null}
  await fetch('https://app.thig.ai/api/auth/change-password', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    credentials: 'include',
    body: JSON.stringify({
      currentPassword: 'OldPass1',
      newPassword: 'NewPass1'
    })
  });
  ```
</CodeGroup>

### Verify Email

<CodeGroup>
  ```bash curl theme={null}
  curl "https://app.thig.ai/api/auth/verify-email?token=verification-token-from-email"
  ```

  ```javascript JavaScript theme={null}
  const res = await fetch(
    `https://app.thig.ai/api/auth/verify-email?token=${token}`
  );
  const { verified } = await res.json();
  ```
</CodeGroup>

### Resend Verification Email

<CodeGroup>
  ```bash curl theme={null}
  curl -X POST https://app.thig.ai/api/auth/resend-verification \
    -H "Content-Type: application/json" \
    -d '{"email": "jane@example.com"}'
  ```

  ```javascript JavaScript theme={null}
  await fetch('https://app.thig.ai/api/auth/resend-verification', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ email: 'jane@example.com' })
  });
  ```
</CodeGroup>

## Permissions

API access respects your organization role:

| Role       | Access Level                              |
| ---------- | ----------------------------------------- |
| **Owner**  | Full access to all resources and settings |
| **Admin**  | Manage team, templates, and settings      |
| **Member** | Create and manage own projects            |
| **Viewer** | Read-only access to shared projects       |

## Security

* Account lockout after 5 failed login attempts (15-minute lockout, 30-minute reset)
* Rate limiting on auth endpoints to prevent brute force
* Passwords hashed with bcryptjs
* API keys encrypted at rest with AES-256-GCM

## Share Token Authentication

Some endpoints support unauthenticated access via share tokens for external collaboration:

```bash theme={null}
curl -H "x-share-token: SHARE_TOKEN" \
  -H "x-share-password: OPTIONAL_PASSWORD" \
  https://app.thig.ai/api/projects/PROJECT_ID
```

Supported on: project detail, PRD content, status history, and activity endpoints.
