/v1/me/* and /v1/auth/*
and requires a user session (JWT); API keys do not apply.
Profile data and verified identity
PATCH /v1/me updates your profile data (display_name, tax_id, phone,
country). But once your identity verification (KYC/KYB) is approved,
your name, tax ID and country are filled automatically from the verified
identity — what the verification confirmed, not what was self-declared —
and they become immutable through this endpoint:
phone stays editable at any time with its own
verification flow (OTP to the previous number when the policy requires it).
Password
1
Change it (with a session)
POST /v1/me/password with current_password and new_password. If your
account was created via social login and has no password yet, leave
current_password empty to set the first one. Changing it revokes all other
sessions and the response carries a fresh one.2
Recover it (no session)
POST /v1/auth/password/forgot with org and email. It always returns
200 with the same body whether or not the account exists (it never reveals if
the email is registered). The code goes to the email; with channel:"sms" it
goes to the verified phone.POST /v1/auth/password/reset with code and new_password. Revokes all
sessions.Login email
The email can be changed, but the new email is always verified: the code goes to the new address and the change only applies once you confirm it. This prevents anyone from pointing the login at a mailbox they do not control.1
Start the change
POST /v1/me/email/change with new_email. If the 2FA policy requires it,
also send the X-OTP-Token header for the email_change action.2
Confirm with the code
POST /v1/me/email/confirm with the code received at the new email. The old
email is notified of the change.Changing your email does not break your already-linked social logins
(Google, Apple, etc.): they are identified by the provider, not the email.
Alias and QR to get paid
Each account has two permanent public identifiers so others can send you money between CBPay accounts:- Alias — you choose it once with
PUT /v1/me/alias(4-20 charsa-z 0-9 . _ -, no reserved words). It cannot be changed. - Profile QR —
GET /v1/me/qrreturns theqr_token, the payloadcbpay:pay?to=<token>and a ready-to-render PNG. It only lets others receive money to you, so it never changes.
GET /v1/resolve?alias=taylor.code (or ?qr=<token>), which returns your
name, type and avatar. And transfers accept the destination directly:
to_qr_token works the same (accepts the token or the cbpay:pay?to=…
payload).
Profile photo
PUT /v1/me/avatar with the image bytes (JPEG, PNG or WebP, max 512 KB; the
type is detected from the content). DELETE /v1/me/avatar removes it and
GET /v1/avatars/{accountID} serves it for previews.
The response includes avatar_url: when the image is published to the public
CDN it is an absolute URL that loads without authentication (ideal for the
front end — use it directly in an <img>); in that case
GET /v1/avatars/{accountID} answers with a 302 redirect to the same URL.
Two-factor authentication (2FA)
CBPay protects sensitive actions with a one-time code. You choose, per action, whether it is required and over which channel:GET /v1/otp/preferences shows your effective policy (and what your
organization requires, which is the floor: you can harden, not go below).
PUT /v1/otp/preferences adjusts it. Weakening your 2FA (disabling an
action or lowering the channel) first requires verifying your current factor.
Authenticator app (TOTP)
1
Enroll
POST /v1/me/totp/enroll returns the otpauth:// and a QR. Scan it in your
app.2
Confirm
POST /v1/me/totp/confirm with the first code. It hands you 10 one-time
backup codes — store them, they are shown only once.POST /v1/me/totp/recovery-codes or remove the app
with DELETE /v1/me/totp (both require a valid code).
Passkeys
Passkeys let you sign in without a password using the device’s biometrics (Face ID, Touch ID, Windows Hello, or a security key).1
Register
POST /v1/me/passkeys/register/begin → pass options.publicKey to
navigator.credentials.create() → POST /v1/me/passkeys/register/finish with
the result and a name (“Taylor’s MacBook”).2
Sign in
POST /v1/auth/passkey/login/begin with org → navigator.credentials.get()
→ POST /v1/auth/passkey/login/finish. Since a passkey is already two factors
(device + biometrics), this login does not ask for a second code.GET/DELETE /v1/me/passkeys. You cannot
remove your only sign-in method.
Passkeys and passkey registration depend on your organization having its domain
configured; otherwise they return
passkeys_unavailable.Sessions and activity
GET /v1/me/sessionslists your active sessions (device, IP, login method, which one is current).DELETE /v1/me/sessions/{id}closes one;POST /v1/me/sessions/revoke-allcloses all but the current.GET /v1/me/security/events?from=&to=is your account’s security history: logins, password or email changes, factors added or removed.
Common errors
Can I change my alias or QR later?
Can I change my alias or QR later?
No. Both are permanent by design: they are your stable identity to receive
money. The QR only allows receiving, so sharing it is not a risk.
I lost the phone with my authenticator app
I lost the phone with my authenticator app
Use one of your backup codes (the ones you got when confirming TOTP) in any
verification or login. If you do not have them, recover access with another
factor (passkey or password + another channel) and regenerate everything.
Does changing my email disconnect me from Google/Apple?
Does changing my email disconnect me from Google/Apple?
No. Social logins are identified by the provider, not the email, so they keep
working.