Auth
The auth system uses passwordless magic links. Users authenticate by email — no passwords, no OAuth flows.
Base path: /auth
Endpoints
Request magic link
Send a login link to the user’s email address.
POST /auth/requestContent-Type: application/json{ "email": "user@example.com"}Response
{ "ok": true, "message": "Magic link sent"}The link expires after 15 minutes. If the user does not click it within that window, repeat the request.
Handle callback
This endpoint is called automatically when the user clicks the magic link. It validates the token and sets the session cookie.
GET /auth/callback?token=...&email=...On success, redirects to the application with the mn_session cookie set. On failure, returns 401.
In browser-based integrations, you do not need to call this endpoint manually — the redirect handles it. For server-side integrations, capture the Set-Cookie header from the callback response.
Logout
Invalidate the current session.
POST /auth/logoutCookie: mn_session=...Response
{ "ok": true}The mn_session cookie is cleared in the response.
Current user
Retrieve the authenticated user for the current session. Useful for confirming session state.
GET /meCookie: mn_session=...Response
{ "id": 42, "email": "user@example.com", "role": "user", "has_map": false}Response fields
| Field | Type | Description |
|---|---|---|
id | integer | User ID |
email | string | Email address |
role | string | "user" or "admin" |
has_map | boolean | Whether the user has purchased the MN Situation Map |
Session lifetime
Sessions are valid for 30 days from the last active request. There is no token refresh — users re-authenticate via a new magic link when their session expires.
Integration notes
- The
mn_sessioncookie isHttpOnly,Secure, andSameSite=Lax. It cannot be read by client-side JavaScript. - For single-page application integrations, use
GET /meto confirm session state on page load. - If you are building a server-side integration, proxy all auth requests through your backend to avoid exposing session cookies to the client.