Authentication

The backend supports JWT/session authentication.

Observed token behavior:

• Bearer tokens are accepted through the Authorization header.
• Session cookies are used by frontend session flows.
• /auth/refresh refreshes access.
• /auth/ws-token issues a WebSocket token with ws:connect scope.
• /ws validates the token query parameter before accepting a connection.

Confirmed auth routes include:

• POST /api/v2/auth/email-login
• POST /api/v2/auth/github/exchange
• POST /api/v2/auth/verify-token
• POST /api/v2/auth/session
• GET /api/v2/auth/session
• GET /me
• POST /logout
• POST /auth/token
• POST /auth/ws-token
• POST /auth/refresh

No fake credentials are documented here.