* POST /account/create (email,srpV,srpSalt) -> ok (server sends verification email)
** creates a user account
* GET /account/devices [sessionToken] () -> list of devices* GET /account/keys [keyFetchToken,needs-verf] () -> kA/wrap(kB)** single-use, only if email is verified, encrypted results* POST /account/reset [authed+encrypted by accountResetToken] (wrap(kB),srpV,srpSalt) -> ok** single-use, does not require email to be verified, revoke all tokens for account, send notification email to user* POST /sessionaccount/delete [authToken] () -> ok, account deleted* POST /auth/start (email) -> loginSrpTokensrpToken,SRP stuff* POST /session/auth/finish (loginSrpTokensrpToken,SRP stuff,deviceInfo) -> keyFetchToken, sessionTokenauthToken* GET POST /session/status create [authedauthToken] () -> okkeyFetchToken, or errorsessionToken* POST /session/destroy [authedsessionToken] () -> ok
** for detaching a device, destroy all tokens
* POST /certificaterecovery_email/sign status [authedsessionToken] (pubkey) -> cert** only if primary recovery method "verified* GET /account/recovery_methods [authed] () -> list " status of recovery methods with verified status ** does not require verified-recovery-methodemail
** use "Accept: text/event-stream" header for server-sent-events; server will send "update" event with the new content of the resource any time it changes.
* POST /accountrecovery_email/recovery_methods/send_code resend_code [authedsessionToken] (recovery_method) -> okre-send verification email* POST /account/recovery_methodsrecovery_email/verify_code (code) -> okset "verified" flag
** this code will come from a clickable link and is an unauthenticated endpoint
** this could maybe take the recovery method if that would be helpful
** sets verified flag on recovery method
* GET POST /accountcertificate/keys sign [authed with keyFetchTokensessionToken,needs-verf] (pubkey) -> kA/wrap(kB)cert** single-use, only if primary recovery method email is verified, encrypted results* GET /account/devices [authed] () -> list of devices* POST /password/change/auth/start [authedauthToken,needs-verf] () -> changePasswordSrpTokenaccountResetToken, SRP stuff** requires that the email associated with the session is verified* POST /password/change/auth/finish [authed] (changePasswordSrpToken, SRP stuff) -> keyFetchToken, accountResetToken* POST /password/forgot/send_code (recovery method) -> forgotPasswordToken
** sends code to recovery method (email for now, maybe SMS later)
** this is a short code, not a clickable link
* POST /password/forgot/resend_code (forgotPasswordToken) -> re-sends code* POST /password/forgot/verify_code (forgotPasswordToken, code) -> accountResetToken
** sets verified flag on recovery method
* POST /account/reset [authed+encrypted by accountResetToken] (wrap(kB),srpV,srpSalt) -> ok
** single-use, does not require a verified recovery method, revoke all tokens for account, send notification email to user
* POST /get_random_bytes