Skip to content

First Sign-In

New user accounts require a password to be set before the first full login. When a fresh account authenticates, the login endpoint returns a session_token instead of a full session.

Set Password on First Login

POST /api/first-signin

Requires the session_token returned by the login endpoint on first sign-in.

Request Body

{
  "session_token": "<token-from-login-response>",
  "new_password": "your-new-password"
}
Field Type Required Description
session_token string Yes Short-lived token from the initial login response
new_password string Yes New password - minimum 8 characters

Response

HTTP/1.1 200 OK
Set-Cookie: access_token_cookie=<jwt>; HttpOnly; SameSite=Lax; Path=/
Set-Cookie: csrf_access_token=<token>; SameSite=Lax; Path=/

{
  "login": true
}

A full session is established immediately after the password is set.

Flow

1. POST /api/authenticate  →  {"first_signin": true, "session_token": "..."}
2. POST /api/first-signin  →  {"login": true} + session cookies
3. Normal API usage begins