Authentication

Session cookies after Authentik OIDC (Google for end users).

Browser clients use GET /api/auth/login to start OIDC and GET /api/auth/callback to complete the flow. The server sets an HttpOnly session cookie. Log out with GET /api/auth/logout.

GET /api/auth/login
GET /api/auth/callback?code=...
GET /api/auth/logout
API routes do not accept API keys yet. Integrations should use the logged-in session or wait for future programmatic access.