# Authentication

[back to index](../README.md)

How sessions work. Login to get a token, send it on every request, logout when done.

Not that hard see?

## Pages

- [Login](login.md) `POST /auth/login` authenticate and get a session token
- [Logout](logout.md) `POST /auth/logout` kill yourself
- [Status](status.md) `GET /auth/status` check if your session is still alive and when it kills itself 
- [Clear Sessions](clear_sessions.md) `POST /auth/clear-sessions` adminier: nuke all sessions for a specific user

## How it works

1. call `/auth/login` with credentials using ur sign in methodick.
2. get a magic session token back
3. send that token as `Authorization: Bearer <token>` on every damn request after that
4. when youre done call `/auth/logout` to kill yourself
5. sessions expire after a configurable timeout if you dont use them

Sessions should optionally be able to persist across server restarts (server should only store a hash of the token in the database, never the raw token itself obviously). On restart it loads them hash brownies back.

Each user should have a max number of concurrent sessions (configurable). When you go over the limit the oldest session gets deported to hell automatically to make room for the new one.