Auth Email Signup
Register a new account with an email and optional password. The password requirement is dependent on how the instance is configured for account authentication with email addresses (password vs magic link.) When the email address has not been registered, this endpoint will send a verification email however it will also return a session cookie to facilitate pre-verification usage of the platform. If the email address already exists, no session cookie will be returned in order to prevent arbitrary account control by a malicious actor. In this case, the email will be sent again with the same OTP for the case where the user has cleared their cookies or switched device but hasn't yet verified due to missing the email or a delivery failure. In this sense, the endpoint can act as a "resend verification email" operation as well as registration. In the first case, a 200 response is provided with the session cookie, in the second case, a 422 response is provided without a session cookie. Given that this is an unauthenticated endpoint that triggers an email to be sent to any public address, it MUST be heavily rate limited.
Auth Email Signin POST
Sign in to an existing account with an email and optional password. The behaviour of this endpoint depends on how the instance is configured. If email+password is the preferred method, a cookie is returned on success but if magic links are preferred, the endpoint will start the code flow.
Auth Email Verify POST
Verify an email address using a token that was emailed to one of the account's email addresses either set via sign up or added later.