API Auth
The Pionne API uses Laravel Sanctum. After login, you receive a token to pass in Authorization: Bearer <token> for all protected routes.
Base URL: https://api.pionne.app
POST /api/auth/register
Section titled “POST /api/auth/register”Create an account. Automatically starts a 30-day trial.
{ "email": "you@example.com", "password": "min8chars", "name": "Jane Doe"}Response 201
Section titled “Response 201”{ "user": { "id": "usr_a1b2c3", "email": "you@example.com", "name": "Jane Doe", "trial_ends_at": "2026-06-04T12:00:00Z" }, "token": "1|abcXYZ..."}Errors
Section titled “Errors”422— Email already taken or invalid format.
POST /api/auth/login
Section titled “POST /api/auth/login”{ "email": "you@example.com", "password": "..."}Headers (optional)
Section titled “Headers (optional)”X-Pionne-Client: cli | mobile | webThe API names the Sanctum token it creates from this header (mobile by
default). On every login, other tokens of the same type are revoked,
keeping a single active session per client. Re-running the CLI wizard
(X-Pionne-Client: cli) or logging back in on mobile automatically
invalidates the previous session of the same type. Other types are not
touched.
Response 200
Section titled “Response 200”{ "user": { "id": "usr_a1b2c3", "email": "you@example.com", "name": "Jane Doe" }, "token": "2|defGHI..."}2FA response
Section titled “2FA response”If the account has 2FA enabled, the API returns a challenge first:
{ "requires_totp": true, "totp_token": "pionne_totp_xxxxxx" }You then POST /api/auth/login/totp with { totp_token, code } (or
recovery_code) to get the real Sanctum token. The same naming /
revocation rule applies based on X-Pionne-Client.
Errors
Section titled “Errors”401— Wrong email/password.429— Too many attempts (rate limit).
POST /api/auth/logout
Section titled “POST /api/auth/logout”Revokes the current token.
Headers
Section titled “Headers”Authorization: Bearer <token>Response 204
Section titled “Response 204”No body.
GET /api/auth/me
Section titled “GET /api/auth/me”Returns the current user.
Headers
Section titled “Headers”Authorization: Bearer <token>Response 200
Section titled “Response 200”{ "id": "usr_a1b2c3", "email": "you@example.com", "name": "Jane Doe", "subscription": { "status": "trialing", "trial_ends_at": "2026-06-04T12:00:00Z", "plan": "monthly" }}Active sessions — token management
Section titled “Active sessions — token management”Three endpoints let you list and revoke the Sanctum tokens of the current account. Used by the Account → Settings → Security → Active sessions screen in pionne-app.
GET /api/me/tokens
Section titled “GET /api/me/tokens”Lists all account tokens (mobile, CLI, web), most recent first. The
token used to make the call is flagged is_current: true.
{ "tokens": [ { "id": 14, "name": "cli", "created_at": "2026-05-07T16:46:00Z", "last_used_at": "2026-05-07T16:46:01Z", "is_current": false }, { "id": 13, "name": "mobile", "created_at": "2026-05-07T15:10:00Z", "last_used_at": "2026-05-07T17:30:00Z", "is_current": true } ]}DELETE /api/me/tokens/{id}
Section titled “DELETE /api/me/tokens/{id}”Revokes the specified token. Refuses to revoke the current token (422 cannot_revoke_current) — use /auth/logout instead.
DELETE /api/me/tokens/others
Section titled “DELETE /api/me/tokens/others”Revokes all account tokens except the one making the call. Handy after a suspected token leak. Returns the revoked count:
{ "revoked_count": 7 }