Validate JWT and issue session token
Validates JWT from auth server and issues session token.
**JWT Validation (security-critical order):**
1. Signature verification (ECDSA P-256)
2. Audience check (must match device serial number)
3. POH expiration check (`exp_poh` vs current POH)
4. Nonce validation (single-use, must be pending)
**Token Usage Types:**
- `cookie`: Sets HTTP-only cookie, returns success message
- `bearer`: Returns session token in body, no cookie set
**Security Properties:**
- All validation failures return HTTP 401 with no information leakage
- Nonce marked as used after successful validation
- Session tokens expire based on POH, not wall-clock time
- Cookie security: `http_only=True`, `same_site='Strict'`, `secure=True` (HTTPS)
Request
This endpoint expects an object.
token
JWT signed by auth server (ECDSA P-256)
token_usage
Token usage type:
cookie: Session token delivered via HTTP-only cookie (browser clients)bearer: Session token delivered via Authorization Bearer header (API clients)
Response
Login successful (bearer token mode)
token
Session token for bearer authentication (base64url, 22 chars)
Errors
400
Bad Request Error
401
Unauthorized Error

