Authentication Flow

buddingLast update on Jul 6, 2026

Authentication Flow

We use JWT-based authentication.

  1. Client sends POST to /api/login with credentials.
  2. Server validates credentials against the PostgreSQL DB.
  3. Server returns an Access Token (15m expiry) and sets a HttpOnly Refresh Token cookie (7d expiry).