# auth

OAuth-based identity. **Do not roll your own crypto or session logic** — back this with Auth.js or Ory Kratos+Hydra.

## Responsibilities

- Google OAuth (Phase 0), Apple OAuth (Phase 0.5), extensible to others.
- Issue short-lived JWTs + rotating refresh tokens; HttpOnly cookies for web.
- Expose `GET /me` (who am I), `POST /logout`, OIDC-style `/.well-known` endpoints.

## Non-goals

- Password auth. Ever.
- User-profile data — that lives in `profile/`.