Authentication API

Token Type	Purpose	Lifetime	Storage
Access Token	API request authentication	30 minutes	Client memory/secure storage
Refresh Token	Obtain new access tokens	6 months (sliding window)	Secure client storage only
CSRF Token	Request validation	Same as access token	Client memory

POST /api/auth/apple/callback

Handle Apple OAuth callback and authenticate or register user

Request Body:

{
    "code": "c1234567890abcdef...",
    "idToken": "eyJraWQiOiJXNldjT0tC...",
    "nonce": "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
    "redirectUri": "https://yourdomain.com/auth/apple/callback",
    "mode": "login",
    "platform": "ios"
}

Field Descriptions:

code (required) - Authorization code received from Apple OAuth flow
idToken (optional) - Apple ID token (included in response_mode form_post)
nonce (required) - Nonce used in the authorization request for replay attack prevention
redirectUri (required) - Must match the redirect URI used in the authorization request
mode (required) - Authentication mode, either "login" or "register"
platform (optional) - Platform identifier: "ios", "android", or "web" (defaults to "web")

Response (200 OK for login, 201 Created for register):

{
    "token": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr...",
    "refreshToken": "XYZABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn...",
    "csrfToken": "a8d7f9c6e5b4a3c2d1e0f9a8d7f6c5b4a3",
    "expiresIn": 1800,
    "user": {
        "id": 1,
        "username": "John Doe",
        "email": "john@privaterelay.appleid.com",
        "typeCode": "SUBS",
        "typeName": "Subscribed",
        "firstName": "John",
        "lastName": "Doe",
        "isActive": true,
        "createdAt": "2023-01-15T08:30:00Z",
        "verifiedAt": "2023-01-15T08:30:00Z",
        "updatedAt": null,
        "subscription": null
    }
}

Error Responses:

{
    "error": "Missing required parameters",
    "message": "code, nonce, redirectUri, and mode are required",
    "code": "APPLE_MISSING_PARAMS"
}

{
    "error": "Invalid mode",
    "message": "mode must be 'login' or 'register'",
    "code": "APPLE_INVALID_MODE"
}

{
    "error": "Invalid Apple ID token",
    "message": "Failed to verify Apple ID token",
    "code": "APPLE_INVALID_ID_TOKEN"
}

{
    "error": "User not found",
    "message": "No account found with this Apple ID. Please register first.",
    "code": "AUTH_APPLE_USER_NOT_FOUND"
}

{
    "error": "Email already exists",
    "message": "An account with this Apple email already exists. Please sign in instead.",
    "code": "AUTH_EMAIL_EXISTS"
}

{
    "error": "Too many OAuth attempts",
    "message": "Too many OAuth attempts from this IP, please try again later.",
    "code": "RATE_LIMIT_EXCEEDED"
}

Notes:

Nonce Verification: The nonce parameter is critical for security and must match the nonce used in the authorization request
Apple ID Token: Apple returns the ID token via form_post, which should be included in the request
Email Privacy: Apple users may use private relay emails (e.g., @privaterelay.appleid.com)
Name Availability: Apple only provides user's name on first authorization; subsequent logins won't include name data
Rate Limited: Limited to 10 attempts per IP per 15 minutes
Auto-Verification: Apple users are automatically email-verified
Session Management: Creates app session with access and refresh tokens
Platform-Specific: Different configurations for iOS, Android, and Web platforms

Apple OAuth Flow Overview:

Client generates random nonce and state values
Client redirects to Apple with nonce and state
User authenticates with Apple ID
Apple redirects back with code, id_token, and state
Client sends code, id_token, and nonce to this endpoint
Server verifies ID token with Apple's public keys
Server validates nonce to prevent replay attacks
Server creates or authenticates user session

POST /api/auth/apple/form-post

Handle Apple OAuth form_post callback (receives data from Apple and redirects to frontend)

Request Body (sent by Apple):

{
    "code": "c1234567890abcdef...",
    "id_token": "eyJraWQiOiJXNldjT0tC...",
    "state": "{\"state\":\"dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk\",\"mode\":\"login\",\"returnUrl\":\"http://localhost:5173\"}",
    "user": "{\"name\":{\"firstName\":\"John\",\"lastName\":\"Doe\"},\"email\":\"john@privaterelay.appleid.com\"}"
}

State Parameter Format:

The state parameter contains JSON-encoded data:

{
    "state": "random_string_for_csrf_protection",
    "mode": "login" | "register",
    "returnUrl": "https://yourdomain.com"  // Optional, frontend URL to redirect to
}

Response (200 OK - HTML redirect):

<!DOCTYPE html>
<html>
  <head>
    <title>Apple Sign In</title>
  </head>
  <body>
    <p>Completing Apple Sign-In...</p>
    <script>
      window.location.replace('https://yourdomain.com/auth/apple/callback#code=...&id_token=...&state=...');
    </script>
  </body>
</html>

Error Response (400 Bad Request):

<!DOCTYPE html>
<html>
  <body>
    <script>
      sessionStorage.setItem('appleAuthError', JSON.stringify({
        title: 'Apple Authentication Error',
        description: 'Missing required parameters from Apple',
        type: 'error'
      }));
      window.location.replace('/login');
    </script>
  </body>
</html>

Notes:

Apple's Response Mode: This endpoint is designed for response_mode=form_post
Automatic Redirect: Returns HTML that automatically redirects to your frontend
Hash Parameters: Data is passed in URL hash (not query params) for security
User Data: Apple only provides user name on first authorization
State Parameter: Contains JSON with mode, state value, and optional returnUrl
No Query Parameters: Apple requires exact URL match - returnUrl must be in state parameter, not query string
Frontend URL: Extracted from state parameter and validated against ALLOWED_FRONTEND_URLS whitelist
Security: Frontend URLs are validated against whitelist before redirecting
Not Rate Limited: Apple makes this request, not the user

Apple Developer Configuration:

In your Apple Services ID, configure the Return URL WITHOUT query parameters:

https://yourdomain.com/api/auth/apple/form-post

Important: Do NOT include query parameters like ?returnUrl=... in the Apple Developer Console configuration. Apple requires exact URL matching.

POST /api/auth/google/callback-pkce

Handle Google OAuth callback with PKCE (Proof Key for Code Exchange) - recommended for mobile apps

Request Body:

{
    "code": "4/0AfJohXlxxx...",
    "codeVerifier": "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk",
    "redirectUri": "com.googleusercontent.apps.123456789:redirect",
    "mode": "login",
    "platform": "android"
}

Field Descriptions:

code (required) - Authorization code received from Google OAuth flow
codeVerifier (required) - PKCE code verifier (proves ownership of the auth request)
redirectUri (required) - Must match the redirect URI used in the authorization request
mode (required) - Authentication mode, either "login" or "register"
platform (optional) - Platform identifier: "ios", "android", or "web" (defaults to "web")

Response (200 OK for login, 201 Created for register):

{
    "token": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr...",
    "refreshToken": "XYZABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn...",
    "csrfToken": "a8d7f9c6e5b4a3c2d1e0f9a8d7f6c5b4a3",
    "expiresIn": 1800,
    "user": {
        "id": 1,
        "username": "John Doe",
        "email": "john@gmail.com",
        "typeCode": "SUBS",
        "typeName": "Subscribed",
        "firstName": "John",
        "lastName": "Doe",
        "isActive": true,
        "createdAt": "2023-01-15T08:30:00Z",
        "verifiedAt": "2023-01-15T08:30:00Z",
        "updatedAt": null,
        "subscription": null
    }
}

Error Responses:

{
    "error": "Missing required parameters",
    "message": "code, codeVerifier, redirectUri, and mode are required",
    "code": "PKCE_MISSING_PARAMS"
}

{
    "error": "Invalid mode",
    "message": "mode must be 'login' or 'register'",
    "code": "PKCE_INVALID_MODE"
}

{
    "error": "Invalid redirect URI",
    "message": "Redirect URI does not match expected pattern for platform",
    "code": "PKCE_INVALID_REDIRECT_URI"
}

{
    "error": "Failed to exchange authorization code",
    "message": "Token exchange failed",
    "code": "PKCE_TOKEN_EXCHANGE_FAILED"
}

{
    "error": "User not found",
    "message": "No account found with this Google email. Please register first.",
    "code": "AUTH_GOOGLE_USER_NOT_FOUND"
}

{
    "error": "Email already exists",
    "message": "An account with this Google email already exists. Please sign in instead.",
    "code": "AUTH_EMAIL_EXISTS"
}

{
    "error": "Too many OAuth attempts",
    "message": "Too many OAuth attempts from this IP, please try again later.",
    "code": "RATE_LIMIT_EXCEEDED"
}

Notes:

PKCE Security: This endpoint uses PKCE (RFC 7636) for enhanced security
Mobile Recommended: PKCE is the recommended flow for mobile and native apps
No Client Secret in App: Client secrets stay on the server, not in mobile apps
Platform-Specific: Uses different Google OAuth clients per platform
Rate Limited: Limited to 10 attempts per IP per 15 minutes
Redirect URI Validation: Strict validation of redirect URIs per platform
Auto-Verification: Google users are automatically email-verified
Session Management: Creates app session with access and refresh tokens

PKCE Flow Overview:

Client generates codeVerifier (random string)
Client generates codeChallenge from verifier (SHA256 hash)
Client redirects to Google with codeChallenge
User authenticates with Google
Google redirects back with authorization code
Client sends code + codeVerifier to this endpoint
Server exchanges code + verifier with Google for tokens
Server validates and creates user session

POST /api/auth/google/callback

Handle Google OAuth callback and exchange authorization code for tokens

Request Body:

{
    "code": "4/0AfJohXlxxx...",
    "mode": "login",
    "redirectUri": "http://localhost:3000/auth/google/callback"
}

Field Descriptions:

code (required) - Authorization code received from Google OAuth flow
mode (required) - Authentication mode, either "login" or "register"
redirectUri (required) - Redirect URI that must match the one configured in Google Cloud Console

Response (200 OK):

{
    "googleIdToken": "eyJzdWIiOiIxMjM0NTY3ODkw...",
    "message": "Google authentication successful"
}

Error Responses:

{
    "error": "Missing required parameters",
    "message": "code, mode, and redirectUri are required",
    "code": "GOOGLE_AUTH_MISSING_PARAMS"
}

{
    "error": "Invalid mode",
    "message": "mode must be 'login' or 'register'",
    "code": "GOOGLE_AUTH_INVALID_MODE"
}

{
    "error": "Failed to exchange authorization code",
    "message": "Google authentication failed",
    "code": "GOOGLE_AUTH_TOKEN_EXCHANGE_FAILED"
}

{
    "error": "Failed to retrieve user information",
    "message": "Could not get user profile from Google",
    "code": "GOOGLE_AUTH_USER_INFO_FAILED"
}

Notes:

This endpoint handles the server-side OAuth flow for PWA compatibility
Exchanges the authorization code for Google tokens and retrieves user information
Returns a base64-encoded user payload that can be used with existing Google auth endpoints
The returned googleIdToken can be passed to /api/auth/google/login or /api/auth/google/register
Requires proper Google Cloud Console configuration with matching redirect URIs
Client ID and Client Secret must be configured in environment variables

POST /api/auth/google/login

Authenticate with Google ID token

Request Body:

{
    "googleIdToken": "eyJhbGciOiJSUzI1NiIsImtpZCI6...",
    "platform": "android"  // Optional: "web", "android", or "ios"
}

Field Descriptions:

googleIdToken (required) - Google ID token obtained from OAuth flow
platform (optional) - Platform identifier for multi-platform support
- "web" - Web application (default if not specified)
- "android" - Android application
- "ios" - iOS application

Response (200 OK):

{
    "token": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr...", // Valid for 30 minutes
    "refreshToken": "XYZABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn...", // Valid for 6 months
    "csrfToken": "a8d7f9c6e5b4a3c2d1e0f9a8d7f6c5b4a3",
    "expiresIn": 1800, // 30 minutes in seconds
    "user": {
        "id": 1,
        "username": "John Doe",
        "email": "john@gmail.com",
        "typeCode": "SUBS",
        "typeName": "Subscribed",
        "firstName": "John",
        "lastName": "Doe",
        "isActive": true,
        "createdAt": "2023-01-15T08:30:00Z",
        "verifiedAt": "2023-01-15T08:35:00Z",
        "updatedAt": "2023-01-15T08:30:00Z",
        "subscription": null
    }
}

Error Responses:

{
    "message": "Invalid Google ID token",
    "code": "AUTH_INVALID_GOOGLE_TOKEN"
}

{
    "message": "No account found with this Google email. Please register first.",
    "code": "AUTH_GOOGLE_USER_NOT_FOUND"
}

Notes:

Requires a valid Google ID token obtained from Google OAuth2 flow
The platform parameter ensures the correct Google Client ID is used for verification
If platform is not specified, defaults to web client ID
User must already have an account with the email from Google profile
Google users are automatically verified since Google handles email verification
If user's email is not verified, it will be automatically verified during login
Last login time is tracked and updated on each successful authentication

POST /api/auth/google/register

Register a new user account with Google ID token

Request Body:

{
    "googleIdToken": "eyJhbGciOiJSUzI1NiIsImtpZCI6...",
    "platform": "ios"  // Optional: "web", "android", or "ios"
}

Field Descriptions:

googleIdToken (required) - Google ID token obtained from OAuth flow
platform (optional) - Platform identifier for multi-platform support
- "web" - Web application (default if not specified)
- "android" - Android application
- "ios" - iOS application

Response (201 Created):

{
    "token": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr...", // Valid for 30 minutes
    "refreshToken": "XYZABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn...", // Valid for 6 months
    "csrfToken": "f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3",
    "expiresIn": 1800, // 30 minutes in seconds
    "user": {
        "id": 2,
        "username": "John Doe",
        "email": "john@gmail.com",
        "typeCode": "SUBS",
        "typeName": "Subscribed",
        "firstName": "John",
        "lastName": "Doe",
        "isActive": true,
        "createdAt": "2023-01-15T08:30:00Z",
        "verifiedAt": "2023-01-15T08:30:00Z",
        "updatedAt": null,
        "subscription": null
    }
}

Error Responses:

{
    "message": "Invalid Google ID token",
    "code": "AUTH_INVALID_GOOGLE_TOKEN"
}

{
    "message": "Email address is already registered. Please use login instead.",
    "code": "AUTH_EMAIL_EXISTS"
}

Notes:

Requires a valid Google ID token obtained from Google OAuth2 flow
The platform parameter ensures the correct Google Client ID is used for verification
If platform is not specified, defaults to web client ID
User profile data (name, email) is extracted from Google profile
Google users are automatically verified since Google handles email verification
No password is required as authentication is handled by Google
If user already exists with the email, use the login endpoint instead
Account type is automatically set to 'GOOG' (Google OAuth) for Google registrations
Last login time is tracked and updated on each successful authentication

POST /api/auth/login

Log in with email and password

Request Body:

{
    "email": "user@example.com",
    "password": "yourpassword"
}

Response (200 OK):

{
    "token": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr...", // Valid for 30 minutes
    "refreshToken": "XYZABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn...", // Valid for 6 months
    "csrfToken": "a8d7f9c6e5b4a3c2d1e0f9a8d7f6c5b4a3",
    "expiresIn": 1800, // 30 minutes in seconds
    "user": {
        "id": 1,
        "username": "John Doe",
        "email": "john@example.com",
        "typeCode": "SUBS",
        "typeName": "Subscribed",
        "firstName": "John",
        "lastName": "Doe",
        "isActive": true,
        "createdAt": "2023-01-15T08:30:00Z",
        "verifiedAt": "2023-01-15T08:35:00Z",
        "updatedAt": "2023-01-15T08:30:00Z",
        "subscription": null
    }
}

Error Responses:

{
    "message": "Invalid credentials",
    "code": "AUTH_INVALID_CREDENTIALS"
}

{
    "message": "Your email address has not been verified. A verification code has been sent to your email address.",
    "code": "AUTH_EMAIL_NOT_VERIFIED"
}

POST /api/auth/logout

Log out the current user (invalidate token)

Headers (Optional):

Authorization: Bearer ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr...

Note: Authorization header is optional. If provided, the specific session will be invalidated. If not provided, logout will still succeed.

Response (200 OK):

{
    "success": true,
    "message": "Logged out successfully"
}

POST /api/auth/refresh-token /api/auth/refresh

Refresh authentication token when the current one is about to expire or has expired. Both endpoints are supported for compatibility.

Headers (Optional):

Authorization: Bearer [current_access_token_or_refresh_token]

Request Body (Optional - takes priority if provided):

{
    "refreshToken": "XYZABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn..."
}

Notes:

If refreshToken is provided in the request body, it will be used instead of the token from the Authorization header
If no request body is provided, the Authorization header token will be used
The endpoint accepts both access tokens and refresh tokens
Does not require CSRF token - auth endpoints are exempt from CSRF protection
/api/auth/refresh-token is the legacy endpoint, /api/auth/refresh is preferred

Response (200 OK):

{
    "token": "DEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstu...", // New token valid for 30 minutes
    "refreshToken": "XYZABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn...", // New refresh token valid for 6 months
    "csrfToken": "f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3", // New CSRF token
    "expiresIn": 1800, // 30 minutes in seconds
    "user": {
        "id": 1,
        "username": "John Doe",
        "email": "john@example.com",
        "typeCode": "SUBS",
        "typeName": "Subscribed",
        "firstName": "John",
        "lastName": "Doe",
        "isActive": true,
        "createdAt": "2023-01-15T08:30:00Z",
        "verifiedAt": "2023-01-15T08:35:00Z",
        "updatedAt": "2023-01-15T08:30:00Z",
        "subscription": null
    }
}

Error Responses:

{
    "message": "No token provided",
    "code": "AUTH_NO_TOKEN"
}

{
    "message": "Invalid token format",
    "code": "AUTH_INVALID_TOKEN_FORMAT"
}

{
    "message": "No active session found. Please log in again.",
    "code": "AUTH_SESSION_NOT_FOUND",
    "requiresLogout": true
}

{
    "message": "Your session has been revoked. Please log in again.",
    "code": "AUTH_SESSION_REVOKED",
    "requiresLogout": true
}

{
    "message": "Your session has expired. Please log in again.",
    "code": "AUTH_REFRESH_EXPIRED",
    "requiresLogout": true
}

{
    "message": "User account issue. Please log in again.",
    "code": "AUTH_USER_NOT_FOUND",
    "requiresLogout": true
}

{
    "message": "Authentication error. Please log in again.",
    "code": "AUTH_ERROR",
    "requiresLogout": true
}

POST /api/auth/register

Register a new user account

Request Body:

{
    "username": "johnsmith",
    "email": "john@example.com",
    "password": "securePassword123",
    "firstName": "John",
    "lastName": "Smith"
}

Field Descriptions:

username (required) - User's display name, will be trimmed of whitespace
email (required) - Valid email address, must be unique
password (required) - Must be at least 8 characters long
firstName (optional) - User's first name, max 50 characters
lastName (optional) - User's last name, max 50 characters

Response (201 Created):

{
    "token": "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr...", // Valid for 30 minutes
    "refreshToken": "XYZABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmn...", // Valid for 6 months
    "csrfToken": "f9e8d7c6b5a4f3e2d1c0b9a8f7e6d5c4b3",
    "expiresIn": 1800, // 30 minutes in seconds
    "user": {
        "id": 2,
        "username": "johnsmith",
        "email": "john@example.com",
        "typeCode": "SUBS",
        "typeName": "Subscribed",
        "firstName": "John",
        "lastName": "Smith",
        "isActive": true,
        "createdAt": "2023-01-15T08:30:00Z",
        "verifiedAt": null,
        "updatedAt": null,
        "subscription": null
    }
}

Error Responses:

{
    "message": "Email address is already registered",
    "code": "AUTH_EMAIL_EXISTS"
}

{
    "message": "Validation error",
    "code": "VALIDATION_ERROR",
    "errors": [
        {
            "type": "field",
            "value": "",
            "msg": "Username is required",
            "path": "username",
            "location": "body"
        }
    ]
}

Notes:

After successful registration, a verification email is sent to the provided address
Users must verify their email before they can log in
All field validation is performed server-side with detailed error messages
The response includes immediate access tokens for authenticated API calls
Account type is automatically set to 'EMAI' (Email) for traditional registrations
Last login time is tracked and updated on each successful authentication

POST /api/auth/reset-password

Request a password reset code

Request Body:

{
    "email": "user@example.com"
}

Response (200 OK):

{
    "message": "Password reset code has been sent to your email address"
}

Error Responses:

{
    "message": "Email address not found"
}

Notes:

If the email address is not found, the endpoint returns a 400 error
For security, the response message doesn't explicitly reveal if an email exists in the system
A 6-digit verification code is sent to the email address if found
Previous reset requests for the user are cleared when a new request is made

POST /api/auth/verify-password

Verify user's current password (requires authentication and CSRF token)

Headers:

Authorization: Bearer ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqr...
x-csrf-token: a8d7f9c6e5b4a3c2d1e0f9a8d7f6c5b4a3

Request Body:

{
    "password": "currentUserPassword"
}

Response (200 OK):

{
    "message": "Password verified successfully"
}

Error Responses:

{
    "message": "Authentication required"
}

{
    "message": "Password is required"
}

{
    "message": "Invalid password"
}

{
    "message": "Account has been deactivated"
}

{
    "message": "Password verification is not available for Google accounts"
}

Notes:

This endpoint is useful for confirming user identity before sensitive operations
Requires both authentication (Bearer token) and CSRF token
Google OAuth users cannot use this endpoint as they don't have passwords
Useful for password change workflows, account deletion confirmation, etc.

POST /api/auth/verify-registration

Verify a registration with the verification code

Request Body:

{
    "email": "user@example.com",
    "verificationCode": "123456"
}

Response (200 OK):

{
    "message": "Email verified successfully"
}

Error Responses:

{
    "message": "Invalid email address"
}

{
    "message": "No verification request found"
}

{
    "message": "Maximum attempts exceeded"
}

{
    "message": "Verification code has expired"
}

{
    "message": "Invalid verification code"
}

Notes:

Verification codes expire after 1 week from creation
Maximum of 5 attempts allowed per verification request
Once verified, the user can log in without restrictions

POST /api/auth/verify-reset-password

Reset password using verification code

POST /api/auth/verify-reset-password

Reset password using verification code

Request Body:

{
    "email": "user@example.com",
    "verificationCode": "123456",
    "newPassword": "newSecurePassword"
}

Response (200 OK):

{
    "message": "Password has been successfully reset"
}

Error Responses:

{
    "message": "Password must be at least 8 characters long"
}

{
    "message": "Invalid email address"
}

{
    "message": "No password reset request found"
}

{
    "message": "Maximum attempts exceeded. Please request a new verification code"
}

{
    "message": "Verification code has expired. Please request a new one"
}

{
    "message": "Invalid verification code"
}

Notes:

Password must be at least 8 characters long
Verification codes expire after 1 week from creation
Maximum of 5 attempts allowed per reset request
After successful password reset, all existing sessions for the user are invalidated
The reset request is cleared after successful password change

Authentication Endpoints Index

Token-Based Authentication

How Token Authentication Works

Token Types and Persistent Authentication

Persistent Login Flow

Client-Side Implementation

CSRF Protection

How CSRF Protection Works

Authentication Endpoints