Authentication
Website and desktop authentication flow, token handling, refresh behavior, and tier boundaries.
Account creation
Users register through the backend auth gateway. Supabase Auth owns email verification and password reset delivery through the configured SMTP provider.
POST https://chimeramind.com/api/v1/auth/register
Login and refresh
Website login sends platform and device context to the backend gateway. Refresh uses the backend /refresh route, with httpOnly cookie support when enabled by production config.
POST /api/v1/auth/login
POST /api/v1/auth/refresh
POST /api/v1/auth/logout
Scopes and tiers
Anonymous website pages use only public status, docs, contact, and release endpoints. Account, billing, portal, analytics, and developer-key operations require an authenticated session and backend tier checks.
Client storage
Access tokens are treated as session material. The frontend stores only the fields needed to restore the current session and clears state on backend logout or failed session validation.