Authentication

User registration, login, OTP, password reset and token management

Register a new user

post

https://api.lyzi.fr/api/nexthttps://api-dev.lyzi.fr/api/next

/auth/register

Creates a new user account. No authentication required. For Manager role, a company is created automatically. For Association, an association is created. 2FA is auto-enabled for Manager, SuperManager, Cashier and Observer.

Query parameters

langstring · enumOptional

Language for the verification email

Possible values:

Body

application/json

emailstring · emailRequired

passwordstringRequired

Must match password complexity requirements (uppercase, lowercase, digit, special char)

firstNamestringRequired

lastNamestringRequired

rolestring · enumRequired

User role — determines company/association creation

Possible values:

companyNamestringOptional

Required for Manager and Cashier roles

associationNamestringOptional

Required for Association role

originstringOptional

phoneNumberstringOptional

phoneNumberCountrystringOptional

ISO country code, e.g. FR

Responses

200

User registered successfully.

application/json

successbooleanOptional

Whether the request succeeded

statusintegerOptional

HTTP status code

400

User already exists or validation error

application/json

422

Validation error

application/json

post

/auth/register

HTTPcURLJavaScriptPython

POST /api/next/auth/register HTTP/1.1
Host: api.lyzi.fr
Content-Type: application/json
Accept: */*
Content-Length: 212

{
  "email": "name@gmail.com",
  "password": "text",
  "firstName": "text",
  "lastName": "text",
  "role": "SimpleUser",
  "companyName": "text",
  "associationName": "text",
  "origin": "text",
  "phoneNumber": "text",
  "phoneNumberCountry": "text"
}

{
  "success": true,
  "status": 1,
  "data": {
    "user": {
      "_id": "text",
      "email": "name@gmail.com",
      "firstName": "text",
      "lastName": "text",
      "role": "SuperAdmin",
      "phoneNumber": "text",
      "apiKey": "text",
      "valid": true,
      "twoFactorAuthEnabled": true,
      "lastConnection": "2026-05-19T18:28:50.853Z",
      "company": {}
    },
    "token": "text"
  }
}

Login (Manager / SuperManager)

post

https://api.lyzi.fr/api/nexthttps://api-dev.lyzi.fr/api/next

/auth/login/manager

Authenticates a merchant manager, super manager, cashier, observer or association user. If 2FA is enabled, an otpValidationToken cookie is set and the final access token is only returned after calling /auth/otp. The origin field must be dashboard for the backoffice or application for the mobile app.

Body

application/json

emailstring · emailRequired

passwordstringRequired

originstring · enumRequired

Login origin — 'dashboard' for backoffice, 'application' for mobile app

Possible values:

Responses

200

Login successful. If 2FA is enabled, token is null and an otpValidationToken cookie is set. Call /auth/otp to complete authentication.

application/json

successbooleanOptional

Whether the request succeeded

statusintegerOptional

HTTP status code

400

Invalid credentials

application/json

401

Unauthorized (VPN required for SuperAdmin)

application/json

422

Validation error

application/json

post

/auth/login/manager

HTTPcURLJavaScriptPython

POST /api/next/auth/login/manager HTTP/1.1
Host: api.lyzi.fr
Content-Type: application/json
Accept: */*
Content-Length: 65

{
  "email": "name@gmail.com",
  "password": "text",
  "origin": "dashboard"
}

{
  "success": true,
  "status": 1,
  "data": {
    "token": "text",
    "user": {
      "_id": "text",
      "email": "name@gmail.com",
      "firstName": "text",
      "lastName": "text",
      "role": "SuperAdmin",
      "phoneNumber": "text",
      "apiKey": "text",
      "valid": true,
      "twoFactorAuthEnabled": true,
      "lastConnection": "2026-05-19T18:28:50.853Z",
      "company": {}
    }
  }
}

Validate 2FA OTP

post

https://api.lyzi.fr/api/nexthttps://api-dev.lyzi.fr/api/next

/auth/otp

Validates a TOTP code (authenticator app) or email OTP after login when 2FA is enabled. The otpValidationToken cookie (set by /auth/login/manager) must be present. Returns the final JWT access token on success.

Roles: Manager, SuperManager, SuperAdmin, Cashier, Observer

Authorizations

bearerAuth

AuthorizationstringRequired

JWT token obtained from /auth/login or /auth/login/manager. Include as Authorization: Bearer <token>.

Body

application/json

otpstringOptional

6-digit TOTP code from authenticator app

emailOtpstringOptional

6-digit OTP received by email

Responses

200

OTP validated — final JWT access token returned

application/json

successbooleanOptional

Whether the request succeeded

statusintegerOptional

HTTP status code

400

Invalid or expired OTP

application/json

401

Authorization header required

application/json

post

/auth/otp

HTTPcURLJavaScriptPython

POST /api/next/auth/otp HTTP/1.1
Host: api.lyzi.fr
Authorization: Bearer YOUR_SECRET_TOKEN
Content-Type: application/json
Accept: */*
Content-Length: 32

{
  "otp": "text",
  "emailOtp": "text"
}

{
  "success": true,
  "status": 1,
  "data": {
    "token": "text",
    "user": {
      "_id": "text",
      "email": "name@gmail.com",
      "firstName": "text",
      "lastName": "text",
      "role": "SuperAdmin",
      "phoneNumber": "text",
      "apiKey": "text",
      "valid": true,
      "twoFactorAuthEnabled": true,
      "lastConnection": "2026-05-19T18:28:50.853Z",
      "company": {}
    }
  }
}

Send email OTP

post

https://api.lyzi.fr/api/nexthttps://api-dev.lyzi.fr/api/next

/auth/otp/email

Sends a one-time passcode to the provided email address. Used during 2FA login when the user prefers email OTP over authenticator app.

Body

application/json

emailstring · emailRequired

Responses

200

OTP sent successfully

application/json

successbooleanOptional

Whether the request succeeded

statusintegerOptional

HTTP status code

dataanyOptional

Response payload

422

Validation error

application/json

post

/auth/otp/email

HTTPcURLJavaScriptPython

POST /api/next/auth/otp/email HTTP/1.1
Host: api.lyzi.fr
Content-Type: application/json
Accept: */*
Content-Length: 26

{
  "email": "name@gmail.com"
}

{
  "success": true,
  "status": 1,
  "data": null
}

Send password reset email

post

https://api.lyzi.fr/api/nexthttps://api-dev.lyzi.fr/api/next

/auth/reset-password/send

Sends a password reset link to the provided email address. SuperAdmin accounts are excluded.

Query parameters

langstring · enumOptional

Language for the reset email

Possible values:

Body

application/json

emailstring · emailRequired

originstringOptional

If 'application', returns the reset token directly instead of sending an email

Responses

200

Reset email sent (or token returned if origin=application)

application/json

successbooleanOptional

Whether the request succeeded

statusintegerOptional

HTTP status code

dataanyOptional

Response payload

400

User not found

application/json

422

Validation error

application/json

post

/auth/reset-password/send

HTTPcURLJavaScriptPython

POST /api/next/auth/reset-password/send HTTP/1.1
Host: api.lyzi.fr
Content-Type: application/json
Accept: */*
Content-Length: 42

{
  "email": "name@gmail.com",
  "origin": "text"
}

{
  "success": true,
  "status": 1,
  "data": null
}

Change forgotten password

post

https://api.lyzi.fr/api/nexthttps://api-dev.lyzi.fr/api/next

/auth/reset-password/change

Sets a new password using the token received in the reset email. Sends a notification email after the change.

Body

application/json

tokenstringRequired

Token from the password reset email

newPasswordstringRequired

New password (must match complexity requirements)

Responses

200

Password changed successfully

application/json

successbooleanOptional

Whether the request succeeded

statusintegerOptional

HTTP status code

dataanyOptional

Response payload

400

Invalid or missing token

application/json

422

Validation error

application/json

post

/auth/reset-password/change

HTTPcURLJavaScriptPython

POST /api/next/auth/reset-password/change HTTP/1.1
Host: api.lyzi.fr
Content-Type: application/json
Accept: */*
Content-Length: 37

{
  "token": "text",
  "newPassword": "text"
}

{
  "success": true,
  "status": 1,
  "data": null
}

Refresh access token

post

https://api.lyzi.fr/api/nexthttps://api-dev.lyzi.fr/api/next

/auth/refresh-token

Issues a new JWT access token using the refresh token stored in an httpOnly cookie. For backoffice users, pass the user ID via the x-user-id header so the correct cookie is read.

Header parameters

x-user-idstringOptional

User ID (backoffice sessions only) — determines the refresh token cookie name

Responses

200

New access token issued

application/json

successbooleanOptional

Whether the request succeeded

statusintegerOptional

HTTP status code

401

Invalid or expired refresh token

application/json

post

/auth/refresh-token

HTTPcURLJavaScriptPython

POST /api/next/auth/refresh-token HTTP/1.1
Host: api.lyzi.fr
Accept: */*

{
  "success": true,
  "status": 1,
  "data": {
    "token": "text"
  }
}

Sign out

post

https://api.lyzi.fr/api/nexthttps://api-dev.lyzi.fr/api/next

/auth/sign-out

Clears the refresh token cookie, effectively ending the session. Pass the x-user-id header for backoffice sessions.

Header parameters

x-user-idstringOptional

User ID (backoffice sessions only)

Responses

200

Signed out successfully

application/json

successbooleanOptional

Whether the request succeeded

statusintegerOptional

HTTP status code

post

/auth/sign-out

HTTPcURLJavaScriptPython

POST /api/next/auth/sign-out HTTP/1.1
Host: api.lyzi.fr
Accept: */*

200

Signed out successfully

{
  "success": true,
  "status": 1,
  "data": {
    "disconnected": true
  }
}