- JWT via jose (HS256, 7d expiry) - Login API: POST /api/auth/login → returns token - Verify API: GET /api/auth/me - Middleware checks Bearer header or cookie - Token stored in localStorage + cookie (for SSR) - Authentik button (disabled, placeholder) - Auth headers auto-added to API requests
- Login page with form - Middleware redirects unauthenticated to /login - Cookie session (7 days) - Credentials via AUTH_USER/AUTH_PASS env vars - Default: admin/teamboard
