openalice-auth

Read the user's unified agent config — shared identity (avatar + VRM), voice settings (TTS+STT provider/voice/language/emotion/pace), and per-product enable+system-prompt for live/social/persona/world. Returns a built-in default when no row exists yet.

Upsert the user's agent config. Validates tts/stt providers against the known-good allowlist and per-product JSON shape. Partial updates supported — fields the request omits keep their current values.

Read the user's current studio broadcast config (preset_id + per-stream overrides). Defaults to {preset_id="qa-host", overrides={}} when no row has been saved yet — first-time streamers don't have to click anything before going live.

Upsert the user's studio broadcast config. Validates preset_id against the @openalicelabs/presets allowlist; rejects unknown ids with 400. Returns the persisted row so the client can mirror updated_at.

Persist a chat-read source (YouTube / Twitch / Kick) — the config blob is encrypted at rest by the same crypto pipeline as stream_destinations. Returns the masked public shape.

Hash a password with Argon2id using a per-call random salt.

List the user's paired devices — Hub /account/devices renders this.

Exchange a pairing code for a 90-day device-scoped JWT (audience = live + persona). Unauthenticated by design — the code itself is the credential.

Generate a short-lived pairing code (8 chars, 10 min TTL) the user types into openalice-stream-host. Code is single-use; claiming it issues a 90-day device-scoped JWT.

Revoke a paired device — sets revoked_at, the issued JWT's jti goes into the revocation set so subsequent calls from that token are rejected.

Consume an email-verification token (looked up by SHA-256 hash). Marks the user verified and the token used. Idempotent — already-verified users get 200 with the same payload.

Issue a new email-verification token for the authenticated user, hash it, persist with 24h expiry, and "send" the verification link via the email stub.

Disable MFA after re-confirming the user's password (defense against a session-stealing attacker silently turning MFA off). Clears mfa_secret + mfa_enabled.

Begin MFA enrollment — generates a fresh TOTP secret, stores it on the user (NOT yet enabled), and returns the secret + otpauth URL so the client can render a QR. Re-running before /auth/mfa/verify rotates the secret. Idempotent against an already-enabled user — returns 409 so the client tells the user to disable first.

Confirm enrollment by submitting a code derived from the secret stored at /auth/mfa/setup. On success, mfa_enabled flips to true and subsequent /auth/login flows require a second factor.

Begin a YouTube (Google) OAuth flow — generates a state nonce, persists it server-side, returns the Google authorize URL the client should redirect to. The callback will create a `chat_sources` row with the user's refresh + access tokens.

Issue a password-reset token for the given email and send the reset link via the email stub. Always returns 204 — never reveals whether the email is registered (timing attacks aside, this stops trivial account-enumeration).

Consume a password-reset token (looked up by SHA-256 hash) and rewrite the user's password. Marks the token used and revokes ALL outstanding refresh tokens for the user (forces re-login on every device).

List users with last_seen ≤ 2 minutes ago who haven't set their status to invisible. Powers the Hub "who's online" widget and any cross-product presence indicator.

Service-to-service entry point — POST a notification (optionally targeted at a specific user) and the auth WS hub fans it out to every connected client. Authenticated by a shared secret in the `X-Internal-Secret` header (env `INTERNAL_BROADCAST_SECRET`). Producers: social-api on DM, persona on session events, billing on plan changes.

Service-to-service entry — POST a normalized chat message from any platform connector (openalice-chat-bridge for YouTube/Twitch/Kick/TikTok) and the broadcast owner's connected agent receives it as a `chat_message` event over /auth/ws. Bypasses the notification cooldown (chat is a stream). Authenticated by X-Internal-Secret.

Service-to-service entry — POST a mechanical chat aggregation tick (n-gram topics + mood + highlight quotes over a fixed window) from the chat-bridge feed-aggregator. The broadcast owner's connected agent receives it as a `chat_feed` event over /auth/ws — a cheap "what is the room doing?" heartbeat that costs zero LLM tokens to produce. Authenticated by X-Internal-Secret.

WebSocket fan-out — clients open with ?token=ACCESS_JWT and receive cross-product real-time events (presence_changed today, notifications + DM events later). Server-push only; messages from the client are currently ignored.

List the authenticated user's active refresh-token sessions (one per browser/device login). Each row carries user_agent, created_at, last_used_at, and a `current` flag marking the device this request came from.

Revoke a specific refresh-token session by id. Marks the row revoked and blacklists its current jti so the next /auth/refresh from that device fails. Existing access tokens on that device survive until natural expiry (≤1h).

Persist a per-platform stream destination — label, platform, optional RTMP URL override, encrypted stream key. Returns the masked public shape.

Permanently delete a stream destination.

Service-to-service endpoint for the broadcaster — given a user_id (path) and optional destination ids (query), returns enabled destinations with PLAINTEXT stream keys. Authenticated via X-Internal-Secret. The broadcaster is the only caller.

List the user's stream destinations with masked stream keys ("live_••••wxyz" preview).

Reveal the plaintext stream key after re-confirming the user's password. Stream keys aren't returned by the list endpoint by design — this is the dedicated unmask path.

Update a destination's label or enabled flag. Stream-key rotation is a delete + create operation by design.

Exchange a refresh token for a fresh access+refresh JWT pair (rotation).

Permanently delete the authenticated user's account and revoke all tokens.

Update authenticated user's profile fields (display name, avatar, bio).

Verify email+password and issue access+refresh JWT pair.

Exchange a pre-MFA token + TOTP code for a full session. Issued only when /auth/login responds with mfa_required=true. Pre-MFA token is audience-restricted so it can't be used against any downstream service if leaked.

Return current authenticated user's profile (id, email, username, status). Side effect — bumps users.last_seen so the user surfaces in the online-users feed.

Register a new user with email + username + password (Argon2id), returns access+refresh JWT pair.