API endpoints

Authentication

  • /login/ (POST)

    • email

    • password

    Returns: access, refresh (in cookie by default)

    Reverse name: rest_login

Note

Django Rest Framework throttling enabled, see: https://www.django-rest-framework.org/api-guide/throttling/

  • /refresh/ (POST)

    • refresh (from cookie by default)

    Returns: access, refresh (in cookie by default)

    Reverse name: token_refresh

  • /logout/ (POST) [Authenticated]

    • refresh

    Reverse name: rest_logout

  • /logout-all/ (POST)

  • /password/reset/ (POST) [Authenticated]

    • email

    Returns: access, refresh (in cookie by default)

    Reverse name: rest_password_reset

Note

Django Rest Framework throttling enabled, see: https://www.django-rest-framework.org/api-guide/throttling/

Warning

Requires a email server configured.

  • /password/reset/confirm/<str:uidb64>/<str:token>/ (GET)

    Reverse name: password_reset_confirm

Note

uid and token are sent in email after calling /rest-auth/password/reset/

  • /password/reset/default/ (GET)

    Reverse name: default_password_reset

Note

Default password reset form. Used when PASSWORD_RESET_REDIRECT is not configured.

  • /password/reset/complete/ (GET)

    Reverse name: jwt_allauth_password_reset_complete

Note

Used when PASSWORD_RESET_REDIRECT is not configured.

  • /password/reset/set-new/ (POST) [Cookie]

    • new_password1

    • new_password2

    Reverse name: password_reset_confirm

  • /password/change/ (POST) [Authenticated]

    • new_password1

    • new_password2

    • old_password

    Reverse name: rest_password_change

Note

OLD_PASSWORD_FIELD_ENABLED = True to use old_password (default).

Note

LOGOUT_ON_PASSWORD_CHANGE = True to logout from the remaining sessions.

  • /user/ (GET, PUT, PATCH) [Authenticated]

    • email

    • first_name

    • last_name

    Returns: email, first_name, last_name

    Reverse name: rest_user_details

Registration

  • /registration/ (POST)

    • password1

    • password2

    • email

    • first_name

    • last_name

    Reverse name: rest_register

  • /registration/verification/<str:key>/ (GET)

Note

Disabled when EMAIL_VERIFICATION = False.

Reverse name: account_confirm_email

  • /registration/account_email_verification_sent/ (GET)

    Reverse name: account_email_verification_sent

Note

Disabled when EMAIL_VERIFICATION = False.

  • /registration/verified/ (GET)

    Reverse name: jwt_allauth_email_verified

Note

Disabled if EMAIL_VERIFIED_REDIRECT is defined or EMAIL_VERIFICATION = False.

Refresh Token Configuration

Note

By default, refresh tokens are sent as secure HTTP-only cookies for enhanced security. This protects against XSS attacks by making tokens inaccessible to JavaScript. You can configure this behavior using the JWT_ALLAUTH_REFRESH_TOKEN_AS_COOKIE setting. When set to False, refresh tokens will be included in the JSON response payload instead.