API Usage

Short-lived JWTs with refresh tokens and rotation.

• Login: POST /api/auth/login
• MFA verify: POST /api/auth/mfa
• SMS login: POST /api/auth/sms/request + /api/auth/sms/verify
• Refresh: POST /api/auth/refresh
• Mobile browser SSO handoff: POST /api/auth/mobile/browser-handoff
• Introspect: POST /oauth/introspect
• Revoke: POST /oauth/revoke
• App role sync: POST /api/apps/sync

Service-to-service

• Use client credentials grant with /oauth/token.
• Sync app roles with apps.sync scope + mTLS binding.
• Protect internal APIs with mTLS where required.