Complete 3-layer API flow: API Gateway → Orchestration → Core Microservices for authentication operations
View Postman DocumentationCreates a new user account in the system
POST /register
POST /register
POST /api/users/register
Retrieves the current user's account details
GET /account
GET /account
GET /api/users/account
Updates the current user's account information
PUT /account
PUT /account
PUT /api/users/account
Updates the user's password (requires current password)
PUT /password
PUT /password
PUT /api/users/password
Authenticates user and creates a session (multi-step flow)
POST /login
POST /login
POST /passcode/validate
Validates OTP if using OTP login
POST /api/users/login
Authenticates user credentials
POST /api/sessions
Creates a new session for the device
Terminates user session and cleans up (multi-step flow)
DELETE /logout
DELETE /logout
GET /api/users/sessions
Gets current user sessions
DELETE /api/users/logout
Logs out the user
DELETE /api/users/sessions/{{session_id}}
Deletes the specific session
Resets password using OTP verification (multi-step flow)
POST /reset-password
POST /reset-password
POST /passcode/validate
Validates the OTP sent to user
POST /api/users/password/reset
Resets the password to new value
Sends one-time password to user's phone/email
POST /send-otp
POST /send-otp
POST /passcode
Permanently deactivates the user account
POST /deactivate
POST /deactivate
DELETE /api/users/account
┌─────────────────┐ ┌──────────────────┐ ┌──────────────────────┐ ┌─────────────────────────┐
│ │ │ │ │ │ │ │
│ Mobile App │────▶│ API Gateway │────▶│ Customer Account │────▶│ Core Microservices │
│ / Web Client │ │ (Layer 1) │ │ (Layer 2) │ │ (Layer 3) │
│ │ │ PUBLIC │ │ INTERNAL │ │ INTERNAL │
└─────────────────┘ └──────────────────┘ └──────────────────────┘ └─────────────────────────┘
│ │ │ │
│ POST /login │ │ │
│ Headers: │ │ │
│ - X-Tenant-Id │ │ │
│ - X-Store-Id │ │ │
│ - X-Device-Id │ │ │
│ ──────────────────────▶ │ │
│ │ POST /login │ │
│ │ (Route + Auth) │ │
│ │ ────────────────────────▶ │
│ │ │ 1. POST /passcode/validate│
│ │ │ ─────────────────────────────▶ [User Service]
│ │ │ │
│ │ │ 2. POST /api/users/login │
│ │ │ ─────────────────────────────▶ [Customer User Service]
│ │ │ │
│ │ │ 3. POST /api/sessions │
│ │ │ ─────────────────────────────▶ [Customer User Service]
│ │ │ │
│ │ ◀──── Response ────────│ │
│ ◀──── Response ───────│ │ │
│ { access_token, user }│ │ │
Public entry point. Handles routing, rate limiting, CORS, and initial authentication.
Orchestration layer. Coordinates multiple microservice calls for authentication flows.
Core microservice for user data, sessions, and account management.
Core microservice for OTP generation and validation.
Orchestra Internal API Mapping - Login/Register Module
Last Updated: December 2025