Skip to main content

Documentation Index

Fetch the complete documentation index at: https://cors-lau.vercel.app/docs/llms.txt

Use this file to discover all available pages before exploring further.

CORS uses a two-step authentication flow to protect access to institutional data. You first submit your username and password, then verify your identity using a 6-digit code sent to your registered email address. On success, CORS issues a session token that authorizes all subsequent requests.

Authentication flow

The login process has two stages:
1

Submit credentials

Send your username and password to the /auth/login endpoint. If the credentials are correct, CORS sends a 6-digit verification code to your registered email address and returns a 2FA_REQUIRED status.
curl -X POST https://your-cors-instance.com/auth/login \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "password": "your-password"}'
Response
{
  "message": "2FA code sent to email requires verification",
  "status": "2FA_REQUIRED"
}
2

Verify the 2FA code

Check your email for the 6-digit code, then submit it along with your username to the /auth/verify endpoint. On success, CORS returns a JWT access token and your username.
curl -X POST https://your-cors-instance.com/auth/verify \
  -H "Content-Type: application/json" \
  -d '{"username": "admin", "code": "123456"}'
Response
{
  "access_token": "eyJ...",
  "token_type": "bearer",
  "username": "admin"
}

Browser authentication

When you log in through the CORS web interface, the access token is set automatically as an httponly cookie. You don’t need to handle the token manually — the browser includes it with every subsequent request until you log out.
When using CORS through the browser, your session is maintained automatically. You do not need to handle the token manually — the browser includes it with every subsequent request until you log out.

API authentication

If you are making programmatic requests directly to the CORS API, include the access token from the /auth/verify response as a Bearer token in the Authorization header: 
curl https://your-cors-instance.com/api/some-endpoint \
  -H "Authorization: Bearer eyJ..."
Store the access_token value from the /auth/verify response securely. Do not expose it in client-side code, logs, or version control.

Logging out

To end your session, send a POST request to /auth/logout. This clears the session cookie and invalidates the current session. 
curl -X POST https://your-cors-instance.com/auth/logout
Response 
{
  "message": "Logged out successfully"
}
In the browser, clicking the logout button in the CORS interface performs this action automatically.

Error reference

Status codeError detailWhat it means
401 UnauthorizedIncorrect username or passwordThe username or password you submitted is wrong. Check your credentials and try again.
401 UnauthorizedInvalid or expired verification codeThe 6-digit code was incorrect or has already been used. Request a new code by restarting the login flow.
404 Not FoundUser not foundThe username submitted in the /auth/verify step does not match a registered user. Contact your CORS administrator.
The 6-digit verification code is single-use. Once submitted — successfully or not — it cannot be reused. If verification fails, restart the login process from /auth/login to receive a new code.

Security considerations

  • CORS sessions are time-limited. If your token expires, you will need to log in again.
  • Do not share your credentials or access token with other users. Each user should have their own CORS account.
  • If you suspect your account has been compromised, contact your CORS administrator immediately to have your credentials reset.
For automated scripts or integrations, use a dedicated service account rather than your personal credentials. Ask your CORS administrator to provision one.