First of all, if you don’t send the password or message object, the server returns a 500 internal server error however if an empty message object is sent, the server returns 400 bad request with an error message. Maybe provide an error message and 400 bad request when no password or message object is sent.
Thanks for the heads up. I’ll make sure there’s a more appropriate error message here.
Surreal CMS will send the welcome email with Surreal CMS branding if the user is created with https://edit.surrealcms.com/api/. I found that if I use my own clientcms.com subdomain for the API domain, the email is sent with my branding. This should be fixed so the correct branding is sent regardless of what domain is used for the API.
Good catch. API endpoints can also be access from custom domains, but this isn’t documented so that’s a quick workaround.
Currently, the app looks at the hostname to determine white-label options. The reason for this is the login page. If you’re not authenticated, what logo should be displayed? So it checks the domain.
What it should be doing is checking the authenticated user’s account first, and if they’re not authenticated fall back to a hostname check. This would cover users logged in at edit.surrealcms.com as well as API requests, regardless of the endpoint.
I’ll get this sorted soon.