- /login by email & password
- /register by email & password
- /passwords/forgot
- /passwords/reset
- /oauth/fb
2FA, if user logs in with a new device with a new device ids OR new IP we need to send them a otp via email to validate.
Consider using Kong for authentication layer. We don't write our own crypto, so why should we write our own auth?
Kong seems more suitable for public APIs where there may be a large number of users.