API: Auth
POST /v1/admin/auth/login
Section titled “POST /v1/admin/auth/login”Permission: none (public endpoint).
Request:
{ "email": "admin@twistcue.local", "password": "twistcue-admin-dev"}Response 200:
{ "access_token": "eyJhbGciOi...", "admin": { "id": "0193...", "email": "admin@twistcue.local", "name": "Admin", "role": "superadmin", "permissions": ["*"] }}Sets an HttpOnly cookie tc_admin_token on the response.
Response 401:
{ "statusCode": 401, "error": "invalid_credentials" }Response 403:
{ "statusCode": 403, "error": "admin_disabled" }Session lifetime
Section titled “Session lifetime”- JWT
exp: 12 hours. - Cookie
Max-Agematches. token_versionclaim: if the admin’s DBtoken_versionis bumped (e.g. after a force-logout), the token is rejected on the next request.
Using the token
Section titled “Using the token”# Header stylecurl -H "Authorization: Bearer $TOKEN" https://api.twistcue.local/v1/admin/users
# Cookie style (browser default)curl --cookie "tc_admin_token=$TOKEN" https://api.twistcue.local/v1/admin/users