Auth and CORS
JWT auth is configured via auth settings (and env overrides for secrets).
For public browser clients, configure cors.allowedOrigins.
Deep dive
- Reference: JWT env vars, CORS env vars, auth config, cors config
- Code: Authenticator, Middleware chain
- Error format: Problem+JSON