Authentication

Cookie sessions

POST /auth/login with email/password → cookie ms_session=ses_*. TTL 30 days (sliding on every request).

OAuth

POST /auth/oauth/:provider/callback — GitHub / Google / Apple. Configuration is via env vars (see dev-setup.md).

Magic link

POST /auth/magic-link/request with an email → the link arrives by email (or is printed to API stdout in console-mailer mode).

2FA flow

After login with 2FA enabled the server returns 200 with requires_2fa: true and a twofa_pending_login token. Then POST /auth/2fa/verify with that token + the 6-digit code → cookie session.

← ← Previous

REST API overview

Embed tokens