Skip to main content

Authentication

Website and desktop authentication flow, token handling, refresh behavior, and tier boundaries.

Account creation

Users register through the backend auth gateway. Supabase Auth owns email verification and password reset delivery through the configured SMTP provider.

POST https://chimeramind.com/api/v1/auth/register

Login and refresh

Website login sends platform and device context to the backend gateway. Refresh uses the backend /refresh route, with httpOnly cookie support when enabled by production config.

POST /api/v1/auth/login
POST /api/v1/auth/refresh
POST /api/v1/auth/logout

Scopes and tiers

Anonymous website pages use only public status, docs, contact, and release endpoints. Account, billing, portal, analytics, and developer-key operations require an authenticated session and backend tier checks.

Client storage

Access tokens are treated as session material. The frontend stores only the fields needed to restore the current session and clears state on backend logout or failed session validation.