BIO.RE
Authentication

Current User Identity

Get the current authenticated user's identity (id, email, username, displayName, avatar, status, emailVerified).

GET /api/v1/auth/me — 🔑 User-auth (Bearer JWT) · Rate limit: 60 req / hour

Returns the current authenticated user's identity. Lightweight — only canonical user fields, no role or permission data (use /users/profile for richer profile).

This is the canonical "who am I" endpoint — frontends typically call it on app boot to hydrate the auth state and decide rendering (creator vs fan, verified vs unverified, status).

Request

Headers

HeaderValueNotes
AuthorizationBearer <accessToken>Required

No body, no query params.

Response

200 OKApiResponseOf<UserIdentityResponseDto>

{
  "success": true,
  "data": {
    "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "email": "[email protected]",
    "username": "creator",
    "displayName": "Awesome Creator",
    "avatarUrl": "https://cdn.bio.re/avatars/abc.jpg",
    "status": "ACTIVE",
    "emailVerified": true
  }
}

UserIdentityResponseDto fields

FieldTypeNotes
idstring (UUID)User.id
emailstringUser.email (lowercase)
usernamestring | nullUser.username (nullable — fan accounts may not have one)
displayNamestring | nullUser.displayName
avatarUrlstring | nullUser.avatarUrl
statusenumOne of: ACTIVE, SUSPENDED, BANNED, DELETED, DEACTIVATED
emailVerifiedbooleanUser.emailVerified

Errors

HTTPcode / i18nKeyReason
401(no JWT or invalid)Not authenticated or token expired
429(throttle)Rate limit exceeded (60 req/hour)

Side effects

  1. Lookup User by id (decoded from JWT).
  2. Project to UserIdentityResponseDto (no relations loaded).
  3. No mutations.

Code samples

curl -X GET https://api.bio.re/api/v1/auth/me \
  -H 'Authorization: Bearer <accessToken>'
type Identity = {
  id: string;
  email: string;
  username: string | null;
  displayName: string | null;
  avatarUrl: string | null;
  status: 'ACTIVE' | 'SUSPENDED' | 'BANNED' | 'DELETED' | 'DEACTIVATED';
  emailVerified: boolean;
};

async function getMe(accessToken: string): Promise<Identity> {
  const res = await fetch('https://api.bio.re/api/v1/auth/me', {
    headers: { 'Authorization': `Bearer ${accessToken}` },
  });
  const json = await res.json();
  if (!res.ok || !json.success) {
    throw Object.assign(new Error(json?.error?.message ?? 'Failed'), {
      code: json?.error?.code,
    });
  }
  return json.data;
}
import { useQuery } from '@tanstack/react-query';

export const meKeys = {
  identity: ['auth', 'me'] as const,
};

export function useMe() {
  return useQuery({
    queryKey: meKeys.identity,
    queryFn: async () => {
      const res = await fetch('/api/v1/auth/me', {
        headers: { 'Authorization': `Bearer ${getAccessToken()}` },
      });
      const json = await res.json();
      if (!res.ok || !json.success) {
        if (res.status === 401) {
          // Trigger refresh flow or redirect to login
          throw Object.assign(new Error('Unauthenticated'), { code: 'auth.unauthenticated' });
        }
        throw Object.assign(new Error(json?.error?.message ?? 'Failed'), {
          code: json?.error?.code,
        });
      }
      return json.data as Identity;
    },
    staleTime: 5 * 60 * 1000, // 5 min — identity rarely changes
  });
}

Try it

GET
/api/v1/auth/me

Authorization

bearer
AuthorizationBearer <token>

In: header

Response Body

application/json

application/json

curl -X GET "https://loading/api/v1/auth/me"
{
  "success": true,
  "data": {
    "id": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
    "email": "[email protected]",
    "username": "johndoe",
    "displayName": "John Doe",
    "avatarUrl": "https://cdn.bio.re/avatars/abc.jpg",
    "status": "ACTIVE",
    "emailVerified": true,
    "locale": "en",
    "intent": "creator",
    "twoFactorEnabled": false,
    "isCreator": true
  }
}
{
  "success": false,
  "error": {
    "code": "AUTH_UNAUTHORIZED",
    "message": "Invalid credentials",
    "i18nKey": "auth.login.invalid_credentials",
    "i18nVars": {
      "field": "email"
    },
    "details": [
      {
        "message": "email must be an email"
      }
    ],
    "correlationId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
  }
}

Source

SourcePathLines
Controllerapps/api-core/src/modules/auth/auth.controller.ts299–313
DTO (response)apps/api-core/src/modules/auth/dto/response.dto.ts49–82 (UserIdentityResponseDto)
Serviceapps/api-core/src/modules/auth/auth.service.tsgetIdentity(userId)
Prisma modelpackages/prisma/prisma/schema.prismaUser (status, emailVerified, username)

Revoke All Other Sessions

Revoke every session except the one making the request. Use this for "Sign out all other devices" UI.

Login or Register via OAuth

One-step login OR auto-register via Google, Apple, or X (Twitter). No captcha (provider handles bot protection). Server-side token verification.

On this page

RequestHeadersResponse200 OKApiResponseOf<UserIdentityResponseDto>UserIdentityResponseDto fieldsErrorsSide effectsCode samplesTry itSource