Authentication (LLM Reference)
Status: Implemented (Milestone 7)
Endpoints
POST /api/auth/register { email, password }
POST /api/auth/login { email, password }
POST /api/auth/refresh { refreshToken }
POST /api/auth/logout { refreshToken }Response
{ "token": "<jwt>", "refreshToken": "<opaque>", "user": { "id", "email", "role", "createdAt" } }Protected CRUD
Authorization: Bearer <token>Permissions (on collection JSON)
Rules: public (default), authenticated, owner, admin.
Owner rule requires user_id field; auto-set on create.
Events
auth.register, auth.login, auth.logout
Config
auth.jwtSecret, auth.accessTokenTtl, auth.refreshTokenTtl in bakend.json.
Env: BAKEND_AUTH_JWT_SECRET, BAKEND_ADMIN_EMAIL
Module
src/core/auth/create-auth-engine.ts โ wired in start() as StartResult.auth.