Ready-Made Actions

Every endpoint, pre-generated & typed

You almost never write an endpoint against a Nucleus backend. generateAllEndpoints(config) reads the very same NucleusConfigOptions that boots the server and emits a complete, fully-typed catalog of actions — auth, sessions, passkeys, admin, tenants, verification, monitoring, runtime config and CRUD for every entity and system table.

Each entry below becomes actions.KEY.start({ payload, onAfterHandle, onErrorHandle }) on the useApiActions hook, with its payload, success and error types inferred from the config. Public actions need no session; everything else attaches the caller's cookies automatically through the server factory.

This page is the catalog — the 'what you get'. The API Client page covers the 'how' (generate → factory → hook). Together they are the entire frontend data layer; you provide the UI.

Authentication#

The core sign-in surface. Tokens are delivered as httpOnly cookies, so the browser never touches a raw JWT — REFRESH is even called for you by the client on a 401. Public actions need no session; the rest require one.

LOGINPOST · /auth/login · public

Email/username + password sign-in. On success sets the access + refresh cookies and returns the user with token metadata (LoginSuccess).

REGISTERPOST · /auth/register · public

Create an account. Enforces your password policy and, when email verification is on, leaves the account unverified until VERIFY_EMAIL.

REFRESHPOST · /auth/refresh · public

Exchange the refresh cookie for a fresh access token. The generated client calls this automatically when a request returns 401, then replays it.

MEGET · /auth/me

The authenticated user with resolved roles and claims — the canonical 'am I signed in?' check used to hydrate app state.

LOGOUTPOST · /auth/logout

Revoke the current session server-side and clear the auth cookies.

Password & email verification#

The complete credential-recovery and email-confirmation surface. Request/confirm actions are public (they carry their own emailed token); change/set require a session.

PASSWORD_CHANGEPOST · /auth/password/change

Change the password of a signed-in user (current + new password).

PASSWORD_SETPOST · /auth/password/set

Set an initial password for accounts created without one (invited or passwordless users).

PASSWORD_RESET_REQUESTPOST · /auth/password/reset-request · public

Trigger a reset email containing a single-use token.

PASSWORD_RESET_CONFIRMPOST · /auth/password/reset-confirm · public

Consume the reset token and store the new password.

VERIFY_EMAILPOST · /auth/verify-email · public

Confirm an email address with the token from the verification mail.

RESEND_VERIFICATIONPOST · /auth/resend-verification · public

Re-send the verification email if the first one expired or was lost.

Passwordless, invites & captcha#

Alternative entry paths. Magic links and invites are two-step (request → verify); captcha guards sensitive public forms when enabled in config.

MAGIC_LINKPOST · /auth/magic-link · public

Email a one-time sign-in link to the address provided.

MAGIC_LINK_VERIFYPOST · /auth/magic-link/verify · public

Exchange a magic-link token for a full session (LoginSuccess).

INVITEPOST · /auth/invite

Invite a user by email from inside the app (admin-side).

INVITE_VERIFYPOST · /auth/invite/verify · public

Accept an invitation and provision the invited account.

CAPTCHA_GENERATEPOST · /auth/captcha/generate · public

Issue a captcha challenge to attach to a sensitive form.

CAPTCHA_VALIDATEPOST · /auth/captcha/validate · public

Validate the user's captcha answer before allowing the action.

Sessions & devices#

A full multi-device session manager. List and revoke devices, and — when new-device approval is enabled — surface pending sign-ins that an existing trusted device must approve or reject. This is exactly what the portal's Devices screen is built from.

SESSIONSGET · /auth/sessions

Every active session/device for the current user.

SESSIONS_CURRENTGET · /auth/sessions/current

Details of the session making this request (device, IP, last seen).

SESSIONS_STATSGET · /auth/sessions/stats

Summary counts — active, pending and total sessions.

SESSIONS_PENDINGGET · /auth/sessions/pending

New-device sign-ins awaiting approval from a trusted device.

SESSIONS_APPROVE / SESSIONS_REJECTPOST · /auth/sessions/approve|reject

Approve or reject a pending device by id.

SESSIONS_REVOKEPOST · /auth/sessions/revoke

Sign out a single session/device.

SESSIONS_REVOKE_ALLPOST · /auth/sessions/revoke-all

Sign out everywhere at once (optionally keeping the current device).

Passkeys · WebAuthn#

A complete FIDO2/WebAuthn passkey lifecycle. Both registration and passwordless login are a two-step options → verify handshake around the browser's navigator.credentials API; the remaining actions manage the user's saved credentials.

WEBAUTHN_REGISTER_OPTIONSPOST · /auth/webauthn/register/options

Get the creation options to pass to navigator.credentials.create().

WEBAUTHN_REGISTER_VERIFYPOST · /auth/webauthn/register/verify

Verify the attestation and persist the new passkey.

WEBAUTHN_AUTH_OPTIONSPOST · /auth/webauthn/authenticate/options · public

Get assertion options to pass to navigator.credentials.get() at sign-in.

WEBAUTHN_AUTH_VERIFYPOST · /auth/webauthn/authenticate/verify · public

Verify the assertion and issue a session — passwordless login.

WEBAUTHN_LISTGET · /auth/webauthn/credentials

List the user's registered passkeys with metadata.

WEBAUTHN_RENAME / WEBAUTHN_REVOKEPATCH|DELETE · /auth/webauthn/credentials/:credentialId

Rename or remove an individual passkey.

Admin & impersonation#

Privileged user-management actions guarded by claims. Impersonation mints a scoped session as another user (and back again) for support, and API keys give programmatic, cookie-less access.

ADMIN_CREATE_USERPOST · /auth/admin/create-user

Create a user directly, bypassing self-registration.

BULK_CREATE_USERSPOST · admin bulk create

Create many users at once — explicit list or generated from a prefix/domain/count — returning created, skipped and generated passwords.

ADMIN_CHANGE_USER_IDPOST · /auth/admin/change-user-id

Re-key a user's id and cascade the change across references.

ADMIN_HARD_DELETE_USERDELETE · /auth/admin/hard-delete/:userId

Permanently delete a user (as opposed to the default soft delete).

ADMIN_IMPERSONATE / ADMIN_IMPERSONATE_STOPPOST · /auth/admin/impersonate[/stop]

Start acting as another user, then return to your own identity.

API_KEYS_CREATE / LIST / DETAIL / UPDATE / REVOKE·/auth/api-keys[/:id]

Full CRUD for scoped API keys — machine clients authenticate with a key instead of a session cookie.

Tenants#

Self-serve and admin-side multi-tenancy, pairing with database.isMultiTenant. Public actions cover the signup funnel; the rest manage the tenant lifecycle.

TENANT_CHECK_SUBDOMAINGET · /tenants/check-subdomain/:subdomain · public

Live availability check while the user types a subdomain at signup.

TENANT_SELF_SIGNUPPOST · /tenants/self-signup · public

Self-serve tenant creation — provisions a schema and first admin.

TENANT_PROVISIONPOST · /tenants/provision

Admin-side provisioning of a new tenant (schema + seed).

TENANT_LIST / TENANT_DETAILGET · /tenants[/:id]

Browse all tenants or load one with its status and metadata.

TENANT_SUSPEND / TENANT_REACTIVATEPOST · /tenants/:id/suspend|reactivate

Disable or restore a tenant's access without deleting its data.

Verification, monitoring & runtime config#

The operational surface that powers approval queues, live dashboards and the runtime config editor — all type-safe actions, no bespoke endpoints.

VERIFICATION_PENDINGGET · /verification/pending

Records awaiting your approval across every verification flow.

VERIFICATION_STATUSGET · /verification/status/:entity_name/:entity_id

Where a specific record sits in its approval graph.

VERIFICATION_DECIDEPOST · /verification/decide/:entity_name/:entity_id

Approve or reject the current step, with an optional signature/comment.

FLOW_SAVE / FLOW_PUBLISH / FLOW_DELETE·/verification/flows[/:flow_id]

Author, publish and remove the verification flow graphs themselves.

NOTIFICATION_LIST / UNSEEN_COUNT / MARK_SEEN / MARK_ALL_SEEN·/notifications[/*]

Read in-app notifications and the unread count, and mark one or all as seen — the portal notification center.

MONITORING_GET_LOGS / GET_SETTINGS / CHANGE_SETTINGSGET|PATCH · /monitoring/*

Pull metric history and read or tune live-monitoring settings.

CONFIG_GET / CONFIG_SECTIONS / CONFIG_SECTION_GETGET · /nucleus/config[/*]

Inspect the live config with secrets masked, section by section.

CONFIG_SECTION_UPDATEPATCH · /nucleus/config/:section

Hot-patch a reloadable section; the response says if a restart is required.

CONFIG_ENV / CONFIG_OVERRIDES_* / CONFIG_RESTART·/nucleus/config/*

See which env-var references resolved, manage runtime overrides, and schedule a graceful restart.

Entity CRUD & bulk#

For every entity you declare — and every built-in system table — the generator emits a typed action set named by entity. List actions speak the full Query API (filters, sort, pagination, relations); writes honour your soft-delete and verification settings.

lib/api/factory.ts — one registry, everything typed

1import { generateAllEndpoints } from "nucleus-core";2import nucleusConfig from "@/config.json";3 4// generateAllEndpoints folds together auth, admin, tenant, cohort,5// verification, monitoring, config, system tables AND your own entities.6export const endpoints = generateAllEndpoints(nucleusConfig);7export type AllEndpoints = typeof endpoints;8 9// In a component every key above is actions.KEY.start({ ... }):10//   actions.LOGIN.start({ payload, onAfterHandle, onErrorHandle })11//   actions.SESSIONS_REVOKE_ALL.start({ ... })12//   actions.GET_PRODUCT.start({ payload: { page: 1, filters: [...] } })

GET_<ENTITY>GET · /<entity>

List or fetch with StandardQueryParams; returns a typed StandardReturn.

Example: GET_PRODUCT, GET_ORDER

ADD_<ENTITY>POST · /<entity>

Create a record from a payload typed to that entity's columns.

Example: ADD_PRODUCT

UPDATE_<ENTITY>PUT · /<entity>/:id

Update a record by id.

Example: UPDATE_PRODUCT

DELETE_<ENTITY>DELETE · /<entity>/:id

Delete a record (soft or hard per your entity config).

Example: DELETE_PRODUCT

BULK_ADD_<ENTITY>SPOST · /<entity>/bulk

Insert many rows in one request.

Example: BULK_ADD_PRODUCTS

System tables (ready out of the box)SystemUser, SystemRole, SystemClaim …

The same CRUD set is pre-generated for SystemUser, SystemRole, SystemClaim, SystemRoleClaim, SystemUserRole, SystemProfile, SystemAddress, SystemPhone, SystemFile and SystemUserCohort.

Related sections

API Client Authentication Query API