Authentication

Anonfeedback uses JWT stored in a auth_token HttpOnly cookie. All protected endpoints read this cookie automatically — you do not need to set an Authorization header from the browser.

For server-to-server requests, pass the token as a cookie header:

Cookie: auth_token=<token>

POST /api/auth/login

{
  "email": "[email protected]",
  "password": "your-password"
}

Response 200

{
  "message": "Login successful",
  "user": {
    "_id": "64a1b2c3d4e5f6a7b8c9d0e1",
    "name": "Jane",
    "lastName": "Doe",
    "email": "[email protected]",
    "role": "admin",
    "organization": "64a1b2c3d4e5f6a7b8c9d0e2"
  }
}

The auth_token cookie is set in the response. Subsequent requests from the same browser session are automatically authenticated.

Google OAuth

GET /api/auth/google

Redirects the user to Google's OAuth consent screen. After approval, Google redirects to:

GET /api/auth/google/callback

On success the user is redirected to the app with the auth_token cookie set. To retrieve the authenticated user after the redirect:

GET /api/auth/google/success

Logout

POST /api/auth/logout

Clears the auth_token cookie. Returns 200 with { "message": "Logged out successfully" }.

Forgot password

POST /api/auth/forgot-password

{ "email": "[email protected]" }

Sends a password reset email if the account exists. Always returns 200 regardless of whether the email was found (prevents enumeration).

Reset password

POST /api/auth/reset-password

{
  "token": "<reset-token-from-email>",
  "password": "new-password"
}

Response 200 — password updated, user can log in with new credentials.

Login​

Google OAuth​

Logout​

Forgot password​

Reset password​

Login

Google OAuth

Logout

Forgot password

Reset password