Skip to main content

Documentation Index

Fetch the complete documentation index at: https://cors-lau.vercel.app/docs/llms.txt

Use this file to discover all available pages before exploring further.

The CORS API uses a two-step authentication flow. First, you submit your credentials to /auth/login. If they are valid, a 6-digit verification code is sent to the account’s registered email address. You then submit that code to /auth/verify to receive a signed JWT. Every subsequent API call must include that token.
The verification code is single-use and is invalidated immediately after a successful /auth/verify call.

POST /auth/login

Validates username and password credentials. On success, triggers a 6-digit verification code to be delivered to the user’s registered email address. The token is not returned at this step.

Request body

username
string
required
The account username.
password
string
required
The account password.

Responses

message
string
Human-readable status message confirming that the 2FA code was dispatched.
status
string
Always "2FA_REQUIRED" on success. Use this value to branch your client logic.
curl -X POST https://your-cors-instance.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": "your-password"}'

POST /auth/verify

Validates the 6-digit email code and issues a signed JWT. The token is returned in the response body and set as an HttpOnly cookie named access_token.

Request body

username
string
required
The same username submitted to /auth/login.
code
string
required
The 6-digit verification code delivered to the user’s email address.

Responses

access_token
string
Signed JWT. Include this in the Authorization: Bearer header of all subsequent requests.
token_type
string
Always "bearer".
username
string
The authenticated user’s username, echoed back for client-side session storage.
curl -X POST https://your-cors-instance.com/auth/verify \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "code": "482931"}'
The access_token cookie is set automatically for browser-based clients. Non-browser clients (scripts, integrations) should extract the token from the response body and pass it as a Bearer token in the Authorization header on each subsequent request.

POST /auth/logout

Clears the access_token cookie from the browser session. No request body is required. Non-browser clients that stored the raw JWT should discard it client-side after calling this endpoint.

Responses

message
string
Confirmation string: "Logged out successfully".
curl -X POST https://your-cors-instance.com/auth/logout \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

Using the token

After a successful /auth/verify call, include the token in the Authorization header of every request to a protected endpoint: 
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." \
  https://your-cors-instance.com/data/courses
Omitting the Authorization header on any endpoint other than /health returns 401 Unauthorized. Verify that you are sending the full Bearer <token> string, including the Bearer prefix.