Base path: Config.BasePath (default /auth). Mount with trailing slash: mux.Handle("/auth/", auth).
Core routes
| Method | Path | Description |
|---|
| GET | /session | Session JSON or {} |
| GET | /csrf | CSRF token |
| GET | /providers | Provider metadata |
| GET | /signin | Redirect to Pages.SignIn or list providers |
| GET/POST | /signin/:provider | Start sign-in |
| GET/POST | /callback/:provider | OAuth callback / credentials POST / passkey JSON |
| POST | /signout | End session |
| POST | /token | Refresh bearer tokens (Tokens.Enabled) |
MFA
| Method | Path | Body / query |
|---|
| GET | /mfa/device | userId, deviceId (query or form) — returns { trusted, skipMfa } |
| POST | /mfa/verify | challenge, code, optional trustDevice, deviceId |
Sessions
| Method | Path | Auth |
|---|
| GET | /sessions | Session required |
| DELETE | /sessions?token= | Session required |
Passkey-specific
| Method | Path | Notes |
|---|
| POST | /signin/passkey | action=register or default authenticate; optional email |
| POST | /callback/passkey | JSON credential or form credential |
Provider-specific callbacks
| Provider | Callback method |
|---|
| OAuth/OIDC | GET |
| credentials | POST |
| email | GET (magic link) |
| otp | POST |
| passkey | POST |