- Remove middleware (no SSR auth check) - AuthGuard component checks localStorage token - Protected route group (protected) wraps all pages - Login page is public - All API calls use Authorization: Bearer header
- JWT via jose (HS256, 7d expiry) - Login API: POST /api/auth/login → returns token - Verify API: GET /api/auth/me - Middleware checks Bearer header or cookie - Token stored in localStorage + cookie (for SSR) - Authentik button (disabled, placeholder) - Auth headers auto-added to API requests
