> ## Documentation Index
> Fetch the complete documentation index at: https://docs.didit.me/llms.txt
> Use this file to discover all available pages before exploring further.

# Register Account

> Step 1 of programmatic onboarding. Creates a pending account and emails a 6-char code (10 min TTL). Rate limit: 5/IP/hour.

export const AgentPromptAccordion = ({prompt, title = "AI Agent Integration Prompt"}) => {
  const [copied, setCopied] = React.useState(false);
  const handleCopy = e => {
    e.stopPropagation();
    if (!prompt) return;
    navigator.clipboard.writeText(prompt.trim()).then(() => {
      setCopied(true);
      setTimeout(() => setCopied(false), 2000);
    });
  };
  const agents = ["Claude Code", "Codex", "Cursor", "Devin", "Windsurf", "GitHub Copilot"];
  return <div className="didit-agent-card">
      {}
      <div className="didit-agent-titlebar">
        <div className="didit-agent-dots" aria-hidden="true">
          <span className="didit-agent-dot didit-agent-dot-red"></span>
          <span className="didit-agent-dot didit-agent-dot-yellow"></span>
          <span className="didit-agent-dot didit-agent-dot-green"></span>
        </div>
        <span className="didit-agent-filename">{title}</span>
        <button type="button" className={`didit-agent-copy ${copied ? "didit-agent-copy-copied" : ""}`} onClick={handleCopy} title="Copy prompt to clipboard" aria-label={copied ? "Copied!" : "Copy prompt to clipboard"}>
          {copied ? <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <path d="M3 8.5l3.5 3.5L13 4" stroke="currentColor" strokeWidth="2" strokeLinecap="round" strokeLinejoin="round" />
              </svg>
              <span>Copied</span>
            </> : <>
              <svg width="13" height="13" viewBox="0 0 16 16" fill="none">
                <rect x="5" y="5" width="9" height="9" rx="1.5" stroke="currentColor" strokeWidth="1.5" />
                <path d="M11 5V3.5A1.5 1.5 0 0 0 9.5 2h-6A1.5 1.5 0 0 0 2 3.5v6A1.5 1.5 0 0 0 3.5 11H5" stroke="currentColor" strokeWidth="1.5" />
              </svg>
              <span>Copy</span>
            </>}
        </button>
      </div>

      {}
      <pre className="didit-agent-body"><code>{prompt.trim()}</code></pre>

      {}
      <div className="didit-agent-footer">
        <span className="didit-agent-footer-label">Paste into</span>
        <div className="didit-agent-chips">
          {agents.map(name => <span key={name} className="didit-agent-chip">{name}</span>)}
        </div>
      </div>
    </div>;
};

<AgentPromptAccordion
  title="Programmatic Register Prompt"
  prompt={`Programmatically create a pending Didit account — step 1 of the two-step onboarding (no browser, no console).

Endpoint:
POST https://apx.didit.me/auth/v2/programmatic/register/

Authentication:
None. This is a public endpoint. (Don't confuse the Auth API host \`apx.didit.me/auth/v2\` with the verification host \`verification.didit.me/v3\`.)

Request body:
- email (string, required) — Any real, deliverable email (personal, work, alias). The verification code is mailed synchronously, so reserved test domains (\`@example.com\`, \`@example.org\`, \`@*.test\`, \`@*.example\`, \`@*.invalid\`) get rejected by mail delivery and the call returns \`500\` — substitute the placeholder with an inbox you can read.
- password (string, required) — Must satisfy ALL of: minimum 8 characters, ≥1 uppercase letter (A-Z), ≥1 lowercase letter (a-z), ≥1 digit (0-9), ≥1 special character from !@#$%^&*()_+-=[]{}|;:,.<>?. Rules are validated one at a time and the first failure short-circuits.

curl example (replace \`you@yourdomain.com\` with a real inbox):
curl -X POST https://apx.didit.me/auth/v2/programmatic/register/ \\
-H "Content-Type: application/json" \\
-d '{
"email": "you@yourdomain.com",
"password": "MyStr0ng!Pass"
}'

Response (201 Created):
- message (string) — "Registration successful. Check your email for the verification code."
- email (string) — echoed back.

What happens server-side:
- A pending account is created (NOT usable yet).
- A 6-character alphanumeric code (e.g. "A3K9F2") is emailed to the supplied address.
- The code is valid for 15 minutes. After expiry the registration must be redone.

Failure modes (all 400 unless noted):
- Field-level: { "email": ["Enter a valid email address."] } or { "password": ["Ensure this field has at least 8 characters."] }.
- Password-strength failures CURRENTLY return as a BARE ARRAY (no field key), one rule at a time: ["Password must contain at least one uppercase letter."] / lowercase / digit / special character. Known server-side inconsistency — treat as { "password": [...] } client-side.
- Duplicate email: { "detail": "An account with this email already exists." }
- 429 — { "detail": "Too many registration attempts. Please try again later.", "wait": <seconds> } when more than 5 registrations from the same IP within an hour.
- 500 — returned (with an HTML body, not JSON) when mail delivery to the supplied address fails synchronously. Most commonly triggered by reserved test domains; use a real inbox.

Rate limits:
5 registrations per IP per hour.

Next step:
After receiving the email, call POST https://apx.didit.me/auth/v2/programmatic/verify-email/ with { "email", "code" } to get your access_token and api_key — see /auth-api/verify-email.

For end-to-end Didit integration, paste in the full prompt at /integration/integration-prompt.`}
/>


## OpenAPI

````yaml POST /programmatic/register/
openapi: 3.0.0
info:
  version: 1.0.0
  title: Didit Auth API
  description: >-
    Programmatic registration and authentication API for developers and AI
    agents. Register in 2 API calls -- no browser needed. The most
    agent-friendly identity verification platform.


    ## Base URL


    All endpoints in this spec are hosted at `https://apx.didit.me/auth/v2`.
    This is a different host than the verification API
    (`https://verification.didit.me/v3`). Keep them straight: this auth host
    issues your **JWT access tokens** and lets you list and manage your
    **organizations** and **applications**. The verification host is where you
    call sessions, workflows, AML, etc., authenticated with the **`api_key`**
    returned by this API.


    ## How the auth flow works


    1. `POST /programmatic/register/` — submit email + password.

    2. Receive a 6-character alphanumeric code by email.

    3. `POST /programmatic/verify-email/` — submit the code. You get back a JWT
    `access_token`, a `refresh_token`, an organization, and a default
    application with `client_id` + `api_key`.

    4. Save the `api_key`. Use it as `x-api-key` for every call to
    `https://verification.didit.me/v3/...`.

    5. From any future machine, `POST /programmatic/login/` exchanges your email
    + password for a fresh JWT, then call `GET /organizations/me/` and the
    application endpoints to recover or rotate credentials.


    The JWT is only needed for the **Account Management** endpoints in this
    spec; verification API traffic uses the long-lived `api_key`, not the JWT.


    ## Conventions


    - All request and response bodies are JSON (`Content-Type:
    application/json`).

    - **Use a real, deliverable email address when testing `POST
    /programmatic/register/`.** The endpoint sends the verification code
    synchronously, so addresses on reserved test domains (`@example.com`,
    `@example.org`, `@*.test`, `@*.example`, `@*.invalid`) are refused by mail
    delivery and the request returns a `500`. Substitute the
    `you@yourdomain.com` placeholder in the samples with an inbox you can
    actually read.

    - Validation errors return HTTP `400` with one of two envelopes: `{"field":
    ["message", ...]}` for field-level problems, or `{"detail": "message"}` for
    business-rule errors. A handful of validators (password strength on
    register, code expiry on verify-email) currently respond with a bare array
    `["message"]` instead of the field-keyed form -- this is a known server-side
    inconsistency, so client code should accept both shapes.

    - Authentication errors come back as `{"detail": "..."}` with HTTP `401`
    (invalid bearer token) or `403` (missing bearer token / insufficient
    privileges).

    - Rate-limit responses include a `wait` field with the cooldown in seconds.
servers:
  - url: https://apx.didit.me/auth/v2
    description: Production auth server
security: []
tags:
  - name: Programmatic Auth
    description: >-
      Email-and-password account lifecycle: register, verify, login. Returns the
      JWT `access_token` you use against the Account Management endpoints, plus
      (on verify) your first application's `client_id` and `api_key`.
  - name: Account Management
    description: >-
      Authenticated endpoints (JWT bearer) that list organizations and create,
      fetch, or update applications. Use these to recover or rotate the
      `api_key` you authenticate verification API calls with.
paths:
  /programmatic/register/:
    post:
      tags:
        - Programmatic Auth
      summary: Register Account
      description: >-
        Step 1 of programmatic onboarding. Creates a pending account and emails
        a 6-char code (10 min TTL). Rate limit: 5/IP/hour.
      operationId: programmatic_register
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/RegisterRequest'
            examples:
              Gmail:
                summary: Register with a personal Gmail
                value:
                  email: you@yourdomain.com
                  password: MyStr0ng!Pass
              Work:
                summary: Register with a work email
                value:
                  email: you@yourcompany.com
                  password: C0mplex#Pass1
      responses:
        '201':
          description: >-
            Registration successful. A 6-character alphanumeric verification
            code (e.g., `A3K9F2`) was emailed to the supplied address and is
            valid for 10 minutes. Call `POST /programmatic/verify-email/` next.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RegisterResponse'
              examples:
                Success:
                  value:
                    message: >-
                      Registration successful. Check your email for the
                      verification code.
                    email: you@yourdomain.com
        '400':
          description: >-
            Validation error. The intended envelope is `{"field": ["..."]}` for
            field-level errors and `{"detail": "..."}` for business-rule errors
            (e.g. duplicate email). Password-strength rules currently respond
            with a bare array `["..."]`, one rule at a time -- known server-side
            inconsistency; treat it as `{"password": ["..."]}` until fixed.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ValidationError'
              examples:
                MissingFields:
                  summary: Empty body
                  value:
                    email:
                      - This field is required.
                    password:
                      - This field is required.
                InvalidEmail:
                  summary: Malformed email
                  value:
                    email:
                      - Enter a valid email address.
                PasswordTooShort:
                  summary: Password under 8 chars
                  value:
                    password:
                      - Ensure this field has at least 8 characters.
                PasswordMissingUppercase:
                  summary: Password missing an uppercase letter
                  value:
                    - Password must contain at least one uppercase letter.
                PasswordMissingLowercase:
                  summary: Password missing a lowercase letter
                  value:
                    - Password must contain at least one lowercase letter.
                PasswordMissingDigit:
                  summary: Password missing a digit
                  value:
                    - Password must contain at least one digit.
                PasswordMissingSpecial:
                  summary: Password missing a special character
                  value:
                    - >-
                      Password must contain at least one special character
                      (!@#$%^&*()_+-=[]{}|;:,.<>?).
                Duplicate:
                  summary: Email already has an account
                  value:
                    detail: An account with this email already exists.
        '429':
          description: >-
            Rate limited. More than 5 registration attempts from the same IP in
            the last hour.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/RateLimitError'
              examples:
                RateLimited:
                  value:
                    detail: Too many registration attempts. Please try again later.
      x-codeSamples:
        - lang: curl
          label: cURL
          source: |-
            curl -X POST https://apx.didit.me/auth/v2/programmatic/register/ \
              -H "Content-Type: application/json" \
              -d '{
                "email": "you@yourdomain.com",
                "password": "MyStr0ng!Pass"
              }'
        - lang: python
          label: Python
          source: >-
            import requests


            resp = requests.post(
                "https://apx.didit.me/auth/v2/programmatic/register/",
                json={
                    "email": "you@yourdomain.com",
                    "password": "MyStr0ng!Pass",
                },
                timeout=10,
            )

            resp.raise_for_status()

            print(resp.json())

            # {'message': 'Registration successful...', 'email':
            'you@yourdomain.com'}
        - lang: javascript
          label: JavaScript
          source: |-
            const resp = await fetch(
              "https://apx.didit.me/auth/v2/programmatic/register/",
              {
                method: "POST",
                headers: { "Content-Type": "application/json" },
                body: JSON.stringify({
                  email: "you@yourdomain.com",
                  password: "MyStr0ng!Pass",
                }),
              },
            );
            if (!resp.ok) throw new Error(`Register failed: ${resp.status}`);
            const data = await resp.json();
            console.log(data);
components:
  schemas:
    RegisterRequest:
      type: object
      required:
        - email
        - password
      properties:
        email:
          type: string
          format: email
          description: >-
            Any valid email address (personal, work, alias). Used as the unique
            account identifier.
          example: you@yourdomain.com
        password:
          type: string
          minLength: 8
          description: >-
            Minimum 8 characters. Must contain at least one uppercase letter
            (`A-Z`), one lowercase letter (`a-z`), one digit (`0-9`), and one
            special character from `!@#$%^&*()_+-=[]{}|;:,.<>?`. Validation
            reports one failed rule at a time.
          example: MyStr0ng!Pass
    RegisterResponse:
      type: object
      properties:
        message:
          type: string
          description: Human-readable confirmation that the verification code was sent.
          example: Registration successful. Check your email for the verification code.
        email:
          type: string
          format: email
          description: The email the verification code was sent to.
          example: you@yourdomain.com
    ValidationError:
      description: >-
        Validation error body. The intended envelope is a `{field: ["message",
        ...]}` map for field-level errors or a `{detail: "..."}` single-key
        envelope for business-rule errors. A handful of validators (password
        strength on register, code validity on verify-email) currently respond
        with a bare array `["message"]` -- known server-side inconsistency. The
        schema below keeps that bare-array branch so client code generated from
        this spec deserializes today's responses, but new client code should
        treat it as the relevant field-keyed form (`{password: [...]}` or
        `{code: [...]}`) and the server contract will converge on that shape.
      oneOf:
        - type: object
          additionalProperties:
            type: array
            items:
              type: string
          example:
            email:
              - Enter a valid email address.
        - type: object
          properties:
            detail:
              type: string
          example:
            detail: An account with this email already exists.
        - type: array
          items:
            type: string
          example:
            - Invalid or expired verification code.
    RateLimitError:
      type: object
      description: >-
        Rate-limit or progressive-lockout response. `wait` is the cooldown in
        seconds.
      properties:
        detail:
          type: string
          example: >-
            Too many login attempts from this IP address. Please wait before
            trying again.

````