- /login by email & password
- /register by email & password
- /passwords/forgot
- /passwords/reset
- /oauth/fb
2FA, if user logs in with a new device with a new device ids OR new IP we need to send them a otp via email to validate.
Consider using Kong for authentication layer. We don't write our own crypto, so why should we write our own auth?
Other than EC2, what other AWS services are we using or plan on using? This will greatly influence which Kong or AWS API Gateway we use -> A LOT of services.