Verify credentials, mint a fresh session-class API key.
The plaintext API key is returned in the body and mirrored
in an HttpOnly, Secure, SameSite=Lax cookie. Browser
clients let the cookie ride along; programmatic clients ignore
the cookie and use the body. Both shapes resolve to the same
auth pipeline server-side.
A successful login does NOT require email-verified status — the user may log in to manage their account, but privileged actions stay 403’d until verification per ADR 0020 §“Email- verification gating”.
Documentation Index
Fetch the complete documentation index at: https://docs.roughy.ai/llms.txt
Use this file to discover all available pages before exploring further.
Successful Response
Returned on successful login.
api_key is a fresh rk_* key with a 24h sliding expiry, ready
to be sent as Authorization: Bearer ... (programmatic clients)
or stored as an HttpOnly cookie (the browser flow does this for
the user automatically — see Set-Cookie on the login response).
email_verified_at is forwarded so the UI can render the
"verify your email" banner without an extra round-trip.