Skip to main content
POST
/
api
/
auth
/
signup
Sign Up
curl --request POST \
  --url https://api.example.com/api/auth/signup \
  --header 'Content-Type: application/json' \
  --data '
{
  "email": "<string>",
  "password": "<string>",
  "user_name": "<string>"
}
'
{
  "data": {
    "user": {
      "name": "<string>",
      "avatar": "<string>"
    },
    "session": {
      "access_token": "<string>",
      "refresh_token": "<string>",
      "expires_in": 123,
      "expires_at": 123,
      "token_type": "<string>"
    }
  },
  "sb-access-token": {},
  "sb-refresh-token": {},
  "Retry-After": {}
}

Overview

This endpoint creates a new user account using Supabase Authentication with the PKCE flow. Upon successful registration, the user is automatically signed in and receives session tokens.

Authentication

This endpoint does not require authentication (it creates the authentication).

Rate Limiting

This endpoint is protected by rate limiting middleware:
  • Default limit: 100 requests per 60 seconds
  • Returns 429 Too Many Requests when limit is exceeded
  • Prevents abuse and spam account creation

Request Body

email
string
required
User’s email address. Must be a valid email format.Example: user@example.com
password
string
required
User’s password. Should meet security requirements (minimum length, complexity, etc.).Example: SecurePass123!
user_name
string
required
Username or display name for the user. This will be stored in user metadata.Example: AnimeWatcher123

Response

data
object
Registration result containing user and session information
user
object
User information
name
string
User’s display name from metadata
avatar
string
User’s avatar URL from metadata (may be null for new accounts)
session
object
Session tokens and metadata
access_token
string
JWT access token for authenticated requests
refresh_token
string
Token used to refresh the access token when it expires
expires_in
number
Time in seconds until the access token expires
expires_at
number
Unix timestamp when the access token expires
token_type
string
Type of token (typically “bearer”)

Cookies Set

Upon successful registration, the following HTTP-only cookies are automatically set:
sb-access-token
cookie
Attributes: HttpOnly, Secure, SameSite=Lax, Max-Age=7 daysContains the Supabase access token for authenticated requests
sb-refresh-token
cookie
Attributes: HttpOnly, Secure, SameSite=Lax, Max-Age=7 daysContains the Supabase refresh token to maintain the session

Example Request

curl -X POST "https://anidev.vercel.app/api/auth/signup" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "SecurePass123!",
    "user_name": "AnimeWatcher123"
  }'

Example Response

{
  "data": {
    "user": {
      "name": "AnimeWatcher123",
      "avatar": null
    },
    "session": {
      "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
      "refresh_token": "v1.MRjyg-VNJ8H7zN...",
      "expires_in": 3600,
      "expires_at": 1710987654,
      "token_type": "bearer"
    }
  }
}

Error Responses

Missing Required Fields

Status Code: 400 Bad Request 
{
  "error": "Email, password and username are required",
  "type": "validation"
}

Invalid Email Format

Status Code: 400 Bad Request 
{
  "error": "Invalid email format",
  "type": "validation"
}

Email Already Registered

Status Code: 409 Conflict 
{
  "error": "User with this email already exists",
  "type": "conflict"
}

Weak Password

Status Code: 400 Bad Request 
{
  "error": "Password should be at least 6 characters",
  "type": "validation"
}

Rate Limit Exceeded

Status Code: 429 Too Many Requests 
{
  "error": "Too many requests, please try again later",
  "type": "tooManyRequests"
}
Retry-After
header
Number of seconds to wait before making another request

Server Error

Status Code: 500 Internal Server Error 
{
  "error": "Internal server error"
}

Security Features

Important Security Notes:
  • Passwords are hashed using Supabase’s secure hashing algorithms
  • Session tokens are stored in HTTP-only cookies to prevent XSS attacks
  • Cookies use the Secure flag (HTTPS only) and SameSite=Lax for CSRF protection
  • Rate limiting prevents brute force and spam attacks

User Metadata

The following metadata is stored with the user account:
  • user_name: Display name provided during registration
  • avatar_url: Profile picture URL (null by default, can be updated later)
This metadata is accessible through the Supabase user object and can be updated using the profile management endpoints.

Post-Registration Flow

After successful registration:
  1. User Record Created: A new user record is created in Supabase Auth
  2. Public Profile: A corresponding record is created in the public_users table
  3. Session Established: Access and refresh tokens are generated
  4. Cookies Set: Session tokens are stored in HTTP-only cookies
  5. Auto Sign-In: User is automatically signed in and can make authenticated requests

Next Steps

After signing up, users can:
  • Update their profile with Update Profile
  • Upload an avatar image
  • Start building their anime collection
  • Save their preferences and watch history